* [gentoo-user] [OT?] /etc/shadow perms group shadow?
@ 2008-11-15 0:57 Michael Higgins
2008-11-15 1:01 ` Michele Schiavo
2008-11-15 6:45 ` Stroller
0 siblings, 2 replies; 6+ messages in thread
From: Michael Higgins @ 2008-11-15 0:57 UTC (permalink / raw
To: gentoo-user
I have a question which may or may not be Gentoo-specific, but here goes:
An application runs as a web server. In this application I have hooks to PAM. The results I was getting from attempting to authorize against PAM were fruitless, until I looked at making a way for the user running this to read /etc/shadow.
At any rate, I wound up making a group "shadow" and making /etc/shadow owned by group shadow and group-readable, adding my user to this group. Now it works great.
Isn't this something Gentoo should have a mechanism for handling already, or am I totally off the mark here? Does anyone know if this ability to read /etc/shadow to authenticate on a system is somehow deprecated in favor of something else, or just overlooked in Gentoo land... or what? '-)
Cheers,
--
|\ /| | | ~ ~
| \/ | |---| `|` ?
| |ichael | |iggins \^ /
michael.higgins[at]evolone[dot]org
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] [OT?] /etc/shadow perms group shadow?
2008-11-15 0:57 [gentoo-user] [OT?] /etc/shadow perms group shadow? Michael Higgins
@ 2008-11-15 1:01 ` Michele Schiavo
2008-11-16 17:24 ` Michael Higgins
2008-11-15 6:45 ` Stroller
1 sibling, 1 reply; 6+ messages in thread
From: Michele Schiavo @ 2008-11-15 1:01 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1.1: Type: text/plain, Size: 309 bytes --]
/etc/sudoers ??
Il giorno ven, 14/11/2008 alle 16.57 -0800, Michael Higgins ha scritto:
> In this application I have hooks to PAM. The results I was getting
> from attempting to authorize against PAM were fruitless, until I
> looked at making a way for the user running this to read /etc/shadow.
[-- Attachment #1.2: Type: text/html, Size: 609 bytes --]
[-- Attachment #2: Questa è una parte del messaggio firmata digitalmente --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] [OT?] /etc/shadow perms group shadow?
2008-11-15 0:57 [gentoo-user] [OT?] /etc/shadow perms group shadow? Michael Higgins
2008-11-15 1:01 ` Michele Schiavo
@ 2008-11-15 6:45 ` Stroller
2008-11-16 17:39 ` Michael Higgins
1 sibling, 1 reply; 6+ messages in thread
From: Stroller @ 2008-11-15 6:45 UTC (permalink / raw
To: gentoo-user
On 15 Nov 2008, at 00:57, Michael Higgins wrote:
> ...
> An application runs as a web server. In this application I have
> hooks to PAM. The results I was getting from attempting to authorize
> against PAM were fruitless, until I looked at making a way for the
> user running this to read /etc/shadow.
>
> At any rate, I wound up making a group "shadow" and making /etc/
> shadow owned by group shadow and group-readable, adding my user to
> this group. Now it works great.
>
> Isn't this something Gentoo should have a mechanism for handling
> already, or am I totally off the mark here? Does anyone know if this
> ability to read /etc/shadow to authenticate on a system is somehow
> deprecated in favor of something else, or just overlooked in Gentoo
> land... or what? '-)
Isn't this depreciated in favour of PAM? I think you want to be
looking at why that wasn't working & at fixing it. What if an
administrator wants to install your app on a system where users
authenticate against LDAP?
Sorry to sound negative, but there must be some books / HOWTOs about
PAM which show minimal programming examples. I'd copy one of those and
see why it won't work on your system or how your code differs.
Stroller.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] [OT?] /etc/shadow perms group shadow?
2008-11-15 1:01 ` Michele Schiavo
@ 2008-11-16 17:24 ` Michael Higgins
2008-11-16 18:56 ` Dirk Heinrichs
0 siblings, 1 reply; 6+ messages in thread
From: Michael Higgins @ 2008-11-16 17:24 UTC (permalink / raw
To: gentoo-user
On Sat, 15 Nov 2008 02:01:54 +0100
Michele Schiavo <gentoo@micheleschiavo.it> wrote:
> /etc/sudoers ??
>
I think I'm trying to avoid running under sudo. Yes, that works, but must have other security implications?
In researching the problem, the workaround I posted was cribbed from other distros which have a 'shadow' group. This is why I posted here, to see if this is common (as I now suspect), why isn't it used in Gentoo? A decision must have been made at some point?
Ultimately, the apache:apache user will be running this code. I expect to have to add apache to the group shadow to be able to use the app. I don't want apache in the sudoers file, nor do I think it'd solve the problem, since my user is in the sudoers file but only can access /etc/shadow when running under sudo. I don't see this as a way to launch my webserver..??
I admit I'm flying in the dark, as is usual. I could be totally wrong.
Thanks for the input, though!
Cheers,
--
|\ /| | | ~ ~
| \/ | |---| `|` ?
| |ichael | |iggins \^ /
michael.higgins[at]evolone[dot]org
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] [OT?] /etc/shadow perms group shadow?
2008-11-15 6:45 ` Stroller
@ 2008-11-16 17:39 ` Michael Higgins
0 siblings, 0 replies; 6+ messages in thread
From: Michael Higgins @ 2008-11-16 17:39 UTC (permalink / raw
To: gentoo-user
On Sat, 15 Nov 2008 06:45:54 +0000
Stroller <stroller@stellar.eclipse.co.uk> wrote:
>
> On 15 Nov 2008, at 00:57, Michael Higgins wrote:
> > ...
> > An application runs as a web server. In this application I have
> > hooks to PAM. The results I was getting from attempting to
> > authorize against PAM were fruitless, until I looked at making a
> > way for the user running this to read /etc/shadow.
> >
> > At any rate, I wound up making a group "shadow" and making /etc/
> > shadow owned by group shadow and group-readable, adding my user to
> > this group. Now it works great.
> >
> > Isn't this something Gentoo should have a mechanism for handling
> > already, or am I totally off the mark here? Does anyone know if
> > this ability to read /etc/shadow to authenticate on a system is
> > somehow deprecated in favor of something else, or just overlooked
> > in Gentoo land... or what? '-)
>
> Isn't this depreciated in favour of PAM?
Well, my point was to use PAM. But, it would seem my regular user needs higher privileges for this.
> I think you want to be
> looking at why that wasn't working & at fixing it.
It wasn't working, to all appearances, because my user didn't have permission to read /etc/shadow. I didn't write the PAM hook code, just observing results of trying to use it. '-)
> What if an
> administrator wants to install your app on a system where users
> authenticate against LDAP?
They'd use an LDAP hook and probably wouldn't have this problem. '-)
>
> Sorry to sound negative, but there must be some books / HOWTOs about
> PAM which show minimal programming examples. I'd copy one of those
> and see why it won't work on your system or how your code differs.
>
Ah, as I said, the code with the hook is not mine. I'm just observing the behavior of using the code, and all experiments show that giving the user permission to read /etc/shadow is the fix.
Other distros _seem_ to include a group to allow use of PAM by arbitrary users added to this group. Unfortunately, I don't run any other distros so to be able to confirm or deny this. (Was hoping someone else might.)
If I can get some feeling as to why Gentoo *doesn't* include this group, it would inform my reply to the maintainer of the PAM hook code.
In other words, if the PAM suite was modified at some point to provide access to the needed information without superuser privileges, I'd need to have some references to this fact. I've not found any. :(
Rather, it seemed from posts about several other similar problems solved that in other distros a 'shadow' group has been created and the perms to /etc/shadow modified to allow reading by this group. Maybe filing a bug report would get me some Gentoo reasoning for why this isn't in place already, but I wanted to grab a sanity check here first. '-)
Thanks!
Cheers,
--
|\ /| | | ~ ~
| \/ | |---| `|` ?
| |ichael | |iggins \^ /
michael.higgins[at]evolone[dot]org
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] [OT?] /etc/shadow perms group shadow?
2008-11-16 17:24 ` Michael Higgins
@ 2008-11-16 18:56 ` Dirk Heinrichs
0 siblings, 0 replies; 6+ messages in thread
From: Dirk Heinrichs @ 2008-11-16 18:56 UTC (permalink / raw
To: gentoo-user
Am Sonntag, 16. November 2008 18:24:17 schrieb Michael Higgins:
> On Sat, 15 Nov 2008 02:01:54 +0100
>
> Michele Schiavo <gentoo@micheleschiavo.it> wrote:
> > /etc/sudoers ??
>
> I think I'm trying to avoid running under sudo. Yes, that works, but must
> have other security implications?
Which ones? You know that you can restrict what users can do under sudo in a
very fine grained manner (for example: user johndoe can run /bin/ls as user
root, but only with options -l and -a).
> In researching the problem, the workaround I posted was cribbed from other
> distros which have a 'shadow' group. This is why I posted here, to see if
> this is common (as I now suspect), why isn't it used in Gentoo?
Because it would be stupid? The reason why /etc/shadow is only readable by
root is to refuse access to the encrypted passwords to make brute force
attacks on them impossible. Otherwise you could leave them in /etc/passwd.
> Ultimately, the apache:apache user will be running this code. I expect to
> have to add apache to the group shadow to be able to use the app. I don't
> want apache in the sudoers file, nor do I think it'd solve the problem,
> since my user is in the sudoers file but only can access /etc/shadow when
> running under sudo. I don't see this as a way to launch my webserver..??
You could put the code that needs to access /etc/shadow into a separate CGI
script and configure sudo so that user apache can only run this single script
as root and only when it comes from a specific path and has specific options.
HTH...
Dirk
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-11-16 18:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-15 0:57 [gentoo-user] [OT?] /etc/shadow perms group shadow? Michael Higgins
2008-11-15 1:01 ` Michele Schiavo
2008-11-16 17:24 ` Michael Higgins
2008-11-16 18:56 ` Dirk Heinrichs
2008-11-15 6:45 ` Stroller
2008-11-16 17:39 ` Michael Higgins
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox