I have to use PAM authentication for DAV SVN, but when everything is configured as specified in mod_auth_pam documentation, authentication does not work. After some research I realized, that for this to work, httpd should be running under root user (which I don't like and won't implement) or apache user (under which httpd is running by default) should have permissions to read /etc/shadow file. So there is a pair of questions connected to each other which I want to ask:
- Is giving this permition to apache user a wise decision from security point of view?
- If answer to the first question is "yes", what is the correct way to do so?
For now I've done following:
groupadd shadow
usermod -G shadow apache
chmod g+r /etc/shadow
Another way I can come up with is using acl:
setfacl -m u:apache:r /etc/shadow
Note: OS is Fedora 14 x86_64 (kernel: 2.6.35.11)
httpd v2.2.17
mod_auth_pam v1.1.1
No, you should never, ever give a public-accessible service like Apache access to /etc/shadow.
Instead of mod_auth_pam, you could try to use mod_auth_external in conjunction with pwauth.