| 1 |
On Sat, 15 Nov 2008 06:45:54 +0000 |
| 2 |
Stroller <stroller@××××××××××××××××××.uk> wrote: |
| 3 |
|
| 4 |
> |
| 5 |
> On 15 Nov 2008, at 00:57, Michael Higgins wrote: |
| 6 |
> > ... |
| 7 |
> > An application runs as a web server. In this application I have |
| 8 |
> > hooks to PAM. The results I was getting from attempting to |
| 9 |
> > authorize against PAM were fruitless, until I looked at making a |
| 10 |
> > way for the user running this to read /etc/shadow. |
| 11 |
> > |
| 12 |
> > At any rate, I wound up making a group "shadow" and making /etc/ |
| 13 |
> > shadow owned by group shadow and group-readable, adding my user to |
| 14 |
> > this group. Now it works great. |
| 15 |
> > |
| 16 |
> > Isn't this something Gentoo should have a mechanism for handling |
| 17 |
> > already, or am I totally off the mark here? Does anyone know if |
| 18 |
> > this ability to read /etc/shadow to authenticate on a system is |
| 19 |
> > somehow deprecated in favor of something else, or just overlooked |
| 20 |
> > in Gentoo land... or what? '-) |
| 21 |
> |
| 22 |
> Isn't this depreciated in favour of PAM? |
| 23 |
|
| 24 |
Well, my point was to use PAM. But, it would seem my regular user needs higher privileges for this. |
| 25 |
|
| 26 |
> I think you want to be |
| 27 |
> looking at why that wasn't working & at fixing it. |
| 28 |
|
| 29 |
It wasn't working, to all appearances, because my user didn't have permission to read /etc/shadow. I didn't write the PAM hook code, just observing results of trying to use it. '-) |
| 30 |
|
| 31 |
> What if an |
| 32 |
> administrator wants to install your app on a system where users |
| 33 |
> authenticate against LDAP? |
| 34 |
|
| 35 |
They'd use an LDAP hook and probably wouldn't have this problem. '-) |
| 36 |
|
| 37 |
> |
| 38 |
> Sorry to sound negative, but there must be some books / HOWTOs about |
| 39 |
> PAM which show minimal programming examples. I'd copy one of those |
| 40 |
> and see why it won't work on your system or how your code differs. |
| 41 |
> |
| 42 |
|
| 43 |
Ah, as I said, the code with the hook is not mine. I'm just observing the behavior of using the code, and all experiments show that giving the user permission to read /etc/shadow is the fix. |
| 44 |
|
| 45 |
Other distros _seem_ to include a group to allow use of PAM by arbitrary users added to this group. Unfortunately, I don't run any other distros so to be able to confirm or deny this. (Was hoping someone else might.) |
| 46 |
|
| 47 |
If I can get some feeling as to why Gentoo *doesn't* include this group, it would inform my reply to the maintainer of the PAM hook code. |
| 48 |
|
| 49 |
In other words, if the PAM suite was modified at some point to provide access to the needed information without superuser privileges, I'd need to have some references to this fact. I've not found any. :( |
| 50 |
|
| 51 |
Rather, it seemed from posts about several other similar problems solved that in other distros a 'shadow' group has been created and the perms to /etc/shadow modified to allow reading by this group. Maybe filing a bug report would get me some Gentoo reasoning for why this isn't in place already, but I wanted to grab a sanity check here first. '-) |
| 52 |
|
| 53 |
Thanks! |
| 54 |
|
| 55 |
Cheers, |
| 56 |
|
| 57 |
-- |
| 58 |
|\ /| | | ~ ~ |
| 59 |
| \/ | |---| `|` ? |
| 60 |
| |ichael | |iggins \^ / |
| 61 |
michael.higgins[at]evolone[dot]org |
Archives