[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#503184: marked as done (RFP: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow)

Your message dated Fri, 12 Aug 2016 09:56:26 +0000
with message-id <E1bY9CU-0001zF-Pt@quantz.debian.org>
and subject line closing RFP: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow
has caused the Debian Bug report #503184,
regarding RFP: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
503184: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503184
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: wnpp
Severity: normal
mod_auth_shadow is an Apache module which authenticates against the / etc/shadow file. You may use this module with a mode 400 root:root / etc/shadow file, while your web daemons are running under a non- privileged user. The module includes a separate binary to perform the password validation, which you are intended to install with setuid/ setgid privileges. 

http://mod-auth-shadow.sourceforge.net/

License: GPL

BACKGROUND:

According to the only Debian reference I can found about this package:

  http://packages.qa.debian.org/liba/libapache2-mod-auth-shadow.html
this software was packaged and maintained by Jorge Salamero Sanz. He requested the package to be removed by opening bug #489862, in which he stated: 


libapache2-mod-auth-pam is able to behave like mod-auth-shadow even in
an smarter way using PAM and i barely use this package now.
To my understanding, this is not correct. According to bug report #246222, libapache2-mod-auth-pam is useless for shadow authentication without adding user "www-data" to group "shadow", and libapache2-mod- auth-shadow specifically addressed that fundamental problem with a setgid binary to perform the validation.
This is immediately apparent from the original description of the package and its predecessor libapache-mod-auth-shadow: 


Description: Apache2 module for authentication using shadow
When performing this task one encounters one fundamental difficulty: the /etc/shadow file is supposed to be read/writable only by root. However, the webserver is supposed to run under a non-root user, such as www- data. 
 .
mod_auth_shadow addresses this difficulty by opening a pipe to an SGID shadow program validate, which does the actual validation. When there is a failure validate writes an error message to the system log, and waits three seconds before exiting. The validate program uses getspnam() so supports shadow 
 files and NIS.
I therefore believe the original maintainer should have orphaned this package, instead of removing it. His sources can be retrieved from the Ubuntu repositories: 

  http://packages.ubuntu.com/source/hardy/libapache2-mod-auth-shadow
(And perhaps from Debian archives as well.) Package version 2.1-2 builds fine on my i386 Debian etch system and produces a working installation. Since there is already a working package, I am not submitting this as a "Request For Package". 

Best regards,
Bruno De Fraine

--- End Message ---
--- Begin Message --- 
RFP 503184 has no visible progress for a long time, so closing.

--- End Message ---
Reply to: