OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve Langasek (vorlonnetexpress.net)
Date: Mon Feb 19 2001 - 21:30:04 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Roger,

    Quoting Roger Dunk <rogerat.com.au>:

    > I have tracked down the problem I was having with Apache and PAM not
    > working as they should. It appears that unless a particular application is
    > running as root, pam_pwdb (or pam_unix etc) won't authenticate as they don't
    > have access to read /etc/shadow. If I chmod o+r /etc/shadow it works as
    > expected.
    > There is no way I am going to run httpd as root, so what is the solution?

    This is the point at which network-oriented password databases become very
    useful. How can you give the httpd process access to the shadow file without
    introducing the possibility that some user script, or some remote exploit, won't
    use that access to harvest your passwords? The only real way to address that
    security concern is by sticking something in between your program and your
    passwords which spits back nothing more than a yes-or-no answer. Some modules,
    such as pam_krb5 and pam_smb, talk to password back-ends that do exactly that.
    Others, such as pam_unix or pam_pwdb, can do this to a very limited degree.

    > FWIW, until I installed a new copy of the pam libs, everything worked fine.
    > I also assumed that if I used pam_unix.so and gave /sbin/unix_chkpwd +s
    > file privelidges, it would be able to properly read /etc/shadow. But again,
    > this doesn't seem to work. What do I have to do so that /etc/shadow doesn't
    > have to be world readable?

    Yes, unix_chkpwd is written such that the only password it will verify for a
    given process is that of the user matching the uid of that process. Shipping
    anything else as the default behavior would be insecure, and a disservice to the
    users of libpam. Still, unix_chkpwd is a fairly simple program, and an even
    simpler replacement could be made by ripping out most of the security checks.

    This question comes up often enough that I've considered writing a number of
    unix_chkpwd variants that could be shipped with Linux-PAM (but not enabled by
    default!). I'm still not sure if this is a good idea, or if it's just inviting
    trouble when admins start using that functionality without examining the
    security implications...

    Steve Langasek
    postmodern programmer

    _______________________________________________
    Pam-list mailing list
    Pam-listredhat.com
    https://listman.redhat.com/mailman/listinfo/pam-list