Is giving read permissions on /etc/shadow to apache user a wise decision from security point of view?

Posted by Czar on Server Fault See other posts from Server Fault or by Czar
Published on 2011-02-26T12:10:10Z Indexed on 2011/02/26 15:26 UTC
Read the original article Hit count: 278

I have to use PAM authentication for DAV SVN, but when everything is configured as specified in mod_auth_pam documentation, authentication does not work. After some research I realized, that for this to work, httpd should be running under root user (which I don't like and won't implement) or apache user (under which httpd is running by default) should have permissions to read /etc/shadow file. So there is a pair of questions connected to each other which I want to ask:

  1. Is giving this permition to apache user a wise decision from security point of view?
  2. If answer to the first question is "yes", what is the correct way to do so?

For now I've done following:

groupadd shadow
usermod -G shadow apache
chmod g+r /etc/shadow

Another way I can come up with is using acl:

setfacl -m u:apache:r /etc/shadow

Note: OS is Fedora 14 x86_64 (kernel: 2.6.35.11)

httpd v2.2.17

mod_auth_pam v1.1.1

© Server Fault or respective owner

Related posts about security

Related posts about permissions