Is giving read permissions on /etc/shadow to apache user a wise decision from security point of view?
Posted
by
Czar
on Server Fault
See other posts from Server Fault
or by Czar
Published on 2011-02-26T12:10:10Z
Indexed on
2011/02/26
15:26 UTC
Read the original article
Hit count: 278
I have to use PAM authentication for DAV SVN, but when everything is configured as specified in mod_auth_pam documentation, authentication does not work. After some research I realized, that for this to work, httpd should be running under root user (which I don't like and won't implement) or apache user (under which httpd is running by default) should have permissions to read /etc/shadow file. So there is a pair of questions connected to each other which I want to ask:
- Is giving this permition to apache user a wise decision from security point of view?
- If answer to the first question is "yes", what is the correct way to do so?
For now I've done following:
groupadd shadow
usermod -G shadow apache
chmod g+r /etc/shadow
Another way I can come up with is using acl:
setfacl -m u:apache:r /etc/shadow
Note: OS is Fedora 14 x86_64 (kernel: 2.6.35.11)
httpd v2.2.17
mod_auth_pam v1.1.1
© Server Fault or respective owner