mod_auth_shadow2 2.1 review
Downloadmod_auth_shadow is an Apache module for authentication using /etc/shadow. When performing this task one encounters one fundamental
|
|
mod_auth_shadow is an Apache module for authentication using /etc/shadow.
When performing this task one encounters one fundamental difficulty: The /etc/shadow file is supposed to be read/writeable only by root. However, the webserver is supposed to run under a non-root user, such as "nobody".
mod_auth_shadow addresses this difficulty by opening a pipe to an suid root program, validate, which does the actual validation. When there is a failure, validate writes an error message to the system log, and waits three seconds before exiting.
Requirements:
Apache 2.x
Manual installation:
There are three pieces to mod_auth_shadow:
1. mod_auth_shadow.so
2. validate
3. the web server configuration
They can be built, installed and configured as follows:
1. As root, type 'make all' to build mod_auth_shadow.so, and validate. (See testvalidate.c for testing instructions, if you want to test validate's compatibility with your system.)
2. Typing 'make install' will then:
- install validate into /usr/sbin/
- install mod_auth_shadow.so into /usr/lib/apache/
- add these lines to your webserver config file (httpd.conf):
LoadModule authshadow_module lib/apache/mod_auth_shadow.so
AddModule mod_auth_shadow.c
If the last two defaults aren't correct, you'll need to edit httpd.conf. For instance, if your web root directory is /home/httpd, and you have a symlink
/etc/httpd/modules -> ../../usr/lib/apache
then you'll want to change the first of the two lines above to be
LoadModule authshadow_module modules/mod_auth_shadow.so
3. To configure a directory to be readable only by valid users of the system, the following could be added to httpd.conf:
< Directory /path/to/directory >
AuthName whateveryoulike
AuthShadow on
AuthType Basic
require valid-user
< /Directory >
The "AuthShadow on" directive tells the authentication handler to take effect. If AuthShadow is set to off, mod_auth_shadow will decline to authenticate the user.
mod_auth_shadow also supports the "require user" and "require group" directives. "require user" restricts access to the named (space separated) users. "require group" restricts access to users who are a member of the listed groups.
4. Restart the web server for the changes to take effect.
What's New in This Release:
Fixed so that AuthShadow off properly causes the require directive to be ignored.
Changed the directory and naming structure to coincide with fedora core 4 apache rpms.
mod_auth_shadow2 2.1 keywords