Am Sonntag, 16. November 2008 18:24:17 schrieb Michael Higgins:
> On Sat, 15 Nov 2008 02:01:54 +0100
>
> Michele Schiavo <[EMAIL PROTECTED]> wrote:
> > /etc/sudoers ??
>
> I think I'm trying to avoid running under sudo. Yes, that works, but must
> have other security implications?
Which ones? You know that you can restrict what users can do under sudo in a
very fine grained manner (for example: user johndoe can run /bin/ls as user
root, but only with options -l and -a).
> In researching the problem, the workaround I posted was cribbed from other
> distros which have a 'shadow' group. This is why I posted here, to see if
> this is common (as I now suspect), why isn't it used in Gentoo?
Because it would be stupid? The reason why /etc/shadow is only readable by
root is to refuse access to the encrypted passwords to make brute force
attacks on them impossible. Otherwise you could leave them in /etc/passwd.
> Ultimately, the apache:apache user will be running this code. I expect to
> have to add apache to the group shadow to be able to use the app. I don't
> want apache in the sudoers file, nor do I think it'd solve the problem,
> since my user is in the sudoers file but only can access /etc/shadow when
> running under sudo. I don't see this as a way to launch my webserver..??
You could put the code that needs to access /etc/shadow into a separate CGI
script and configure sudo so that user apache can only run this single script
as root and only when it comes from a specific path and has specific options.
HTH...
Dirk
