mod_auth_shadow2 2.1 review

mod_auth_shadow is an Apache module for authentication using /etc/shadow. When performing this task one encounters one fundamental

License: GPL (GNU General Public License) File size: 0K Developer: Brian Duggan

0

mod_auth_shadow is an Apache module for authentication using /etc/shadow.

When performing this task one encounters one fundamental difficulty: The /etc/shadow file is supposed to be read/writeable only by root. However, the webserver is supposed to run under a non-root user, such as "nobody".

mod_auth_shadow addresses this difficulty by opening a pipe to an suid root program, validate, which does the actual validation. When there is a failure, validate writes an error message to the system log, and waits three seconds before exiting.

Requirements:
Apache 2.x

Manual installation:

There are three pieces to mod_auth_shadow:

1. mod_auth_shadow.so
2. validate
3. the web server configuration

They can be built, installed and configured as follows:

1. As root, type 'make all' to build mod_auth_shadow.so, and validate. (See testvalidate.c for testing instructions, if you want to test validate's compatibility with your system.)

2. Typing 'make install' will then:

- install validate into /usr/sbin/
- install mod_auth_shadow.so into /usr/lib/apache/
- add these lines to your webserver config file (httpd.conf):

LoadModule authshadow_module lib/apache/mod_auth_shadow.so
AddModule mod_auth_shadow.c

If the last two defaults aren't correct, you'll need to edit httpd.conf. For instance, if your web root directory is /home/httpd, and you have a symlink

/etc/httpd/modules -> ../../usr/lib/apache

then you'll want to change the first of the two lines above to be

LoadModule authshadow_module modules/mod_auth_shadow.so

3. To configure a directory to be readable only by valid users of the system, the following could be added to httpd.conf:

< Directory /path/to/directory >
AuthName whateveryoulike
AuthShadow on
AuthType Basic
require valid-user
< /Directory >

The "AuthShadow on" directive tells the authentication handler to take effect. If AuthShadow is set to off, mod_auth_shadow will decline to authenticate the user.

mod_auth_shadow also supports the "require user" and "require group" directives. "require user" restricts access to the named (space separated) users. "require group" restricts access to users who are a member of the listed groups.

4. Restart the web server for the changes to take effect.

What's New in This Release:
Fixed so that AuthShadow off properly causes the require directive to be ignored.
Changed the directory and naming structure to coincide with fedora core 4 apache rpms.