91459 – mod_auth_pam ebuild suggests changing /etc/shadow to apache group

Bug 91459 - mod_auth_pam ebuild suggests changing /etc/shadow to apache group

Summary: mod_auth_pam ebuild suggests changing /etc/shadow to apache group

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Apache Team - Bugzilla Reports

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-05-04 10:22 UTC by Tim Keitt
Modified:	2006-02-28 09:54 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Keitt 2005-05-04 10:22:52 UTC

A much better solution is to add a "shadow" group and then add the apache user to that group. Then make /etc/shadow group readable. Avoids the side effect that anyone in the apache group gets access to shadow.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2005-05-04 10:44:57 UTC

mod_auth_pam-1.1.1-r1 suggests:

groupadd shadow
gpasswd -a apache shadow

Is this what you want?

Comment 2 Tim Keitt 2005-05-04 11:44:56 UTC

Yes. That makes more sense. Probably should add the group with a system-level gid. (I used 23.) The default gid assigned by groupadd is >99. Also need 'chgrp shadow /etc/shadow; chmod g+r /etc/shadow'.

Comment 3 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2006-02-28 09:54:47 UTC

looks like this was fixed long ago, as 1.1.1-r1 has the fix as noted above.