Bug#503184: O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow

To: submit@bugs.debian.org
Subject: Bug#503184: O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow
From: Bruno De Fraine <bruno@defraine.net>
Date: Thu, 23 Oct 2008 11:33:03 +0200
Message-id: <[🔎] 85066EF1-DF42-48D6-A3B6-E81C3068B523@defraine.net>
Reply-to: Bruno De Fraine <bruno@defraine.net>, 503184@bugs.debian.org

Package: wnpp
Severity: normal

mod_auth_shadow is an Apache module which authenticates against the /etc/shadow file. You may use this module with a mode 400 root:root /etc/shadow file, while your web daemons are running under a non-privileged user. The module includes a separate binary to perform thepassword validation, which you are intended to install with setuid/setgid privileges.


http://mod-auth-shadow.sourceforge.net/

License: GPL

BACKGROUND:

According to the only Debian reference I can found about this package:

  http://packages.qa.debian.org/liba/libapache2-mod-auth-shadow.html

this software was packaged and maintained by Jorge Salamero Sanz. Herequested the package to be removed by opening bug #489862, in whichhe stated:

libapache2-mod-auth-pam is able to behave like mod-auth-shadow even in
an smarter way using PAM and i barely use this package now.

To my understanding, this is not correct. According to bug report#246222, libapache2-mod-auth-pam is useless for shadow authenticationwithout adding user "www-data" to group "shadow", and libapache2-mod-auth-shadow specifically addressed that fundamental problem with asetgid binary to perform the validation.

This is immediately apparent from the original description of thepackage and its predecessor libapache-mod-auth-shadow:

Description: Apache2 module for authentication using shadow
When performing this task one encounters one fundamentaldifficulty: the/etc/shadow file is supposed to be read/writable only by root.However,the webserver is supposed to run under a non-root user, such as www-data.
 .
mod_auth_shadow addresses this difficulty by opening a pipe to anSGID shadowprogram validate, which does the actual validation. When there is afailurevalidate writes an error message to the system log, and waits threesecondsbefore exiting. The validate program uses getspnam() so supportsshadow
 files and NIS.

I therefore believe the original maintainer should have orphaned thispackage, instead of removing it. His sources can be retrieved from theUbuntu repositories:


  http://packages.ubuntu.com/source/hardy/libapache2-mod-auth-shadow

(And perhaps from Debian archives as well.) Package version 2.1-2builds fine on my i386 Debian etch system and produces a workinginstallation. Since there is already a working package, I am notsubmitting this as a "Request For Package".


Best regards,
Bruno De Fraine

Reply to:

Follow-Ups:
- Bug#503184: marked as done (O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#503185: ITP: chname -- Utility which runs a command with a new system hostname
Next by Date: Bug#503185: ITP: chname -- Utility which runs a command with a new system hostname
Previous by thread: Bug#503185: ITP: chname -- Utility which runs a command with a new system hostname
Next by thread: Bug#503184: marked as done (O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow)
Index(es):
- Date
- Thread