Cc:ed to the main PAM discussion list.

On 14 Feb 2001, seph wrote:

> I've been trying to get mod_auth_pam to work my my system, and have
> come against a wall... I can get apache to authenticate as the user
> it's running as, but not as any other user. apache is able to read my
> /etc/shadow file.

> my understanding is that pam doesn't allow non root users to do useful
> stuff, so apache's mod_auth_pam is unable to authenticate users other
> than itself.

PAM itself doesn't place any such restrictions on what you can do. In fact,
the pam_unix module includes a helper binary which allows programs that
otherwise couldn't do any authentication against the shadow file to do limited
authentication. If Apache can access the shadow file, then this helper binary
isn't necessary, and mod_auth_pam should work without it.

> if pam has this problem, and I don't want to run apache as root, is
> mod_auth_pam useful, or am I stuck hacking around with
> mod_auth_external?

Again, this isn't a PAM problem, this is a function of the Unix security
design. Programs that can't access the shadow file can't do shadow-based
authentication, with or without PAM.

For various reasons, you may find mod_auth_external easier to work with;
mod_auth_pam is not a panacea. But it should be able to do what you're asking
for here.

Steve Langasek
postmodern programmer

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]