Package: wnpp
Severity: normal
mod_auth_shadow is an Apache module which authenticates against the /
etc/shadow file. You may use this module with a mode 400 root:root /
etc/shadow file, while your web daemons are running under a non-
privileged user. The module includes a separate binary to perform the
password validation, which you are intended to install with setuid/
setgid privileges.
http://mod-auth-shadow.sourceforge.net/
License: GPL
BACKGROUND:
According to the only Debian reference I can found about this package:
http://packages.qa.debian.org/liba/libapache2-mod-auth-shadow.html
this software was packaged and maintained by Jorge Salamero Sanz. He
requested the package to be removed by opening bug #489862, in which
he stated:
libapache2-mod-auth-pam is able to behave like mod-auth-shadow even in
an smarter way using PAM and i barely use this package now.
To my understanding, this is not correct. According to bug report
#246222, libapache2-mod-auth-pam is useless for shadow authentication
without adding user "www-data" to group "shadow", and libapache2-mod-
auth-shadow specifically addressed that fundamental problem with a
setgid binary to perform the validation.
This is immediately apparent from the original description of the
package and its predecessor libapache-mod-auth-shadow:
Description: Apache2 module for authentication using shadow
When performing this task one encounters one fundamental
difficulty: the
/etc/shadow file is supposed to be read/writable only by root.
However,
the webserver is supposed to run under a non-root user, such as www-
data.
.
mod_auth_shadow addresses this difficulty by opening a pipe to an
SGID shadow
program validate, which does the actual validation. When there is a
failure
validate writes an error message to the system log, and waits three
seconds
before exiting. The validate program uses getspnam() so supports
shadow
files and NIS.
I therefore believe the original maintainer should have orphaned this
package, instead of removing it. His sources can be retrieved from the
Ubuntu repositories:
http://packages.ubuntu.com/source/hardy/libapache2-mod-auth-shadow
(And perhaps from Debian archives as well.) Package version 2.1-2
builds fine on my i386 Debian etch system and produces a working
installation. Since there is already a working package, I am not
submitting this as a "Request For Package".
Best regards,
Bruno De Fraine
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
