[Hcoop-discuss] Web passwords
ntk at hcoop.net
ntk at hcoop.net
Mon Oct 17 09:11:43 EDT 2005
> Michael Potter wrote:
>> The package libapache2-mod-auth-pam would continue to work even if the
>> authentication scheme changed to LDAP in the future. The main
>> downside is the www-data user would have to be added to the shadow
>> group, so anyone with access to run scripts could read the encryped
>> passwords.
>
> Actually, I hope that we aren't giving anyone access to run scripts as
> www-data. You shouldn't be able to run any general programs as any user
> that you haven't explicitly requested permission to run as. In general,
> if anyone finds a way to do this, even if it seems benign, then I'd like
> to hear about it. :-)
>
> Given that, does libapache2-mod-auth-pam sound like a safe choice to
> everyone? The only problem I can think of is users serving /etc/shadow
> as a static page, and I _believe_ that domtool's directory access
> permissions (via .paths files), combined with Apache's configuration not
> to follow symlinks, have been preventing this all along.
We definitely don't want users getting direct access to /etc/shadow,
because there are bound to be users with weak/crackable passwords.
Probably most users, for that matter. I thought the whole point of PAM
was to give an API for checking passwords without granting access to the
encrypted passwords themselves or relying on a particular underlying
authentication mechanism.
-Nathan
More information about the HCoop-Discuss
mailing list