search

adelton / mod_authnz_pam

Apache module to run PAM authorization on result of other module's authentication; also full Basic Auth PAM provider.
https://www.adelton.com/apache/mod_authnz_pam/
Apache License 2.0
14 stars 9 forks source link

a option to setuid() after PAM sucessfully? #17

Closed wangyugui-e16 closed 1 year ago

wangyugui-e16 commented 1 year ago

Hi,

a option to setuid() after PAM sucessfully?

there are 2 cases to use mod_authnz_pam, 1) we use it for authn only we can run httpd with apache account. we need some help form #12

2) we use it for authz too? such as when create a new file with webdav? we need run httpd with root account.

Best regards

adelton commented 1 year ago

As for https://github.com/adelton/mod_authnz_pam/issues/12, I suggested SSSD or pam_unix.so with the unix_chkpwd helper there as ways to authenticate using the OS accounts and passwords from /etc/shadow. If that does not work for you for some reason, please explain exactly what you try to do including the exact OS versions and configurations, what you get, and where your expectations starts to diverge from reality.

As for the second case, it seems you try to use Apache to access random content on the disk and classical POSIX permissions prevent you from doing that. That does not seem to have much to do with PAM or PAM authorization, you would get the same issue if you just configured any other authentication / authorization mechanism. In fact, https://httpd.apache.org/docs/2.4/mod/mod_dav.html says

In order for mod_dav to manage files, it must be able to write to the directories and files under its control using the User and Group under which Apache is running. New files created will also be owned by this User and Group. For this reason, it is important to control access to this account. The DAV repository is considered private to Apache; modifying files outside of Apache (for example using FTP or filesystem-level tools) should not be allowed.

so if you try to use it differently, you might want to reconsider. Perhaps https://codebase.helmholtz.cloud/kit-scc-sdm/onlinestorage/httpd-webdav/mod-mpmitk-setuid is what you are looking for?

wangyugui-e16 commented 1 year ago

default apache does NOT allow to run as 'root', because it support some modules such as CGI, in that case, 'root' is very dangerous.

but for webdav, it is not so dangerous to let 'apache/httpd' run as 'root'. so we can run 'webdav' in the same user/group control as nfs/samba, then result in more security ?

we need patch for both apache and mod_authnz_pam. for apache, make it can be run as 'root' just like sshd. for mod_authnz_pam, add setuid() if not 'root'.

adelton commented 1 year ago

Technically, for Apache HTTP Server to stop rejecting User root, recompile it with -DBIG_SECURITY_HOLE added to CFLAGS, per https://github.com/apache/httpd/blob/trunk/modules/arch/unix/mod_unixd.c#L236-L248. But the check and the name of that flag is there for a reason.

I am not adding setuid() to mod_authnz_pam because permissions needed to serve a specific directory or file have nothing to do with authentication happening via PAM, that is a general issue as I tried to explain above.

wangyugui-e16 commented 1 year ago

maybe we could launch a new deamon project for webdav. but now we could try it based on httpd/apache.

0001-httpd-allow-root.patch 0001-mod_authnz_pam-setuid.patch

pam_modutil_getpwnam() will cause CPU 100%, any help?

wangyugui-e16 commented 1 year ago

http.conf for webdav and mod_authnz_pam

alias /webdav "/mnt/test"
<Location /webdav>
  Options +Indexes
  Dav on
  AuthName "Login"
  AuthType Basic
  AuthBasicProvider PAM
  AuthPAMService sshd
  Require valid-user
</Location>
wangyugui-e16 commented 1 year ago

When I replace 'pam_modutil_getpwnam()' with 'getpwnam()', it seems to work. but we need better solution to support session feature?