A much better solution is to add a "shadow" group and then add the apache user to that group. Then make /etc/shadow group readable. Avoids the side effect that anyone in the apache group gets access to shadow. Reproducible: Always Steps to Reproduce: 1. 2. 3.
mod_auth_pam-1.1.1-r1 suggests: groupadd shadow gpasswd -a apache shadow Is this what you want?
Yes. That makes more sense. Probably should add the group with a system-level gid. (I used 23.) The default gid assigned by groupadd is >99. Also need 'chgrp shadow /etc/shadow; chmod g+r /etc/shadow'.
looks like this was fixed long ago, as 1.1.1-r1 has the fix as noted above.