Is giving read permissions on /etc/shadow to apache user a wise decision from security point of view?
- by Czar
I have to use PAM authentication for DAV SVN, but when everything is configured as specified in mod_auth_pam documentation, authentication does not work. After some research I realized, that for this to work, httpd should be running under root user (which I don't like and won't implement) or apache user (under which httpd is running by default) should have permissions to read /etc/shadow file.
So there is a pair of questions connected to each other which I want to ask:
Is giving this permition to apache user a wise decision from security point of view?
If answer to the first question is "yes", what is the correct way to do so?
For now I've done following:
groupadd shadow
usermod -G shadow apache
chmod g+r /etc/shadow
Another way I can come up with is using acl:
setfacl -m u:apache:r /etc/shadow
Note:
OS is Fedora 14 x86_64 (kernel: 2.6.35.11)
httpd v2.2.17
mod_auth_pam v1.1.1