Closed wangyugui-e16 closed 1 year ago
As for https://github.com/adelton/mod_authnz_pam/issues/12, I suggested SSSD or pam_unix.so
with the unix_chkpwd
helper there as ways to authenticate using the OS accounts and passwords from /etc/shadow
. If that does not work for you for some reason, please explain exactly what you try to do including the exact OS versions and configurations, what you get, and where your expectations starts to diverge from reality.
As for the second case, it seems you try to use Apache to access random content on the disk and classical POSIX permissions prevent you from doing that. That does not seem to have much to do with PAM or PAM authorization, you would get the same issue if you just configured any other authentication / authorization mechanism. In fact, https://httpd.apache.org/docs/2.4/mod/mod_dav.html says
In order for mod_dav to manage files, it must be able to write to the directories and files under its control using the User and Group under which Apache is running. New files created will also be owned by this User and Group. For this reason, it is important to control access to this account. The DAV repository is considered private to Apache; modifying files outside of Apache (for example using FTP or filesystem-level tools) should not be allowed.
so if you try to use it differently, you might want to reconsider. Perhaps https://codebase.helmholtz.cloud/kit-scc-sdm/onlinestorage/httpd-webdav/mod-mpmitk-setuid is what you are looking for?
default apache does NOT allow to run as 'root', because it support some modules such as CGI, in that case, 'root' is very dangerous.
but for webdav, it is not so dangerous to let 'apache/httpd' run as 'root'. so we can run 'webdav' in the same user/group control as nfs/samba, then result in more security ?
we need patch for both apache and mod_authnz_pam. for apache, make it can be run as 'root' just like sshd. for mod_authnz_pam, add setuid() if not 'root'.
Technically, for Apache HTTP Server to stop rejecting User root
, recompile it with -DBIG_SECURITY_HOLE
added to CFLAGS
, per https://github.com/apache/httpd/blob/trunk/modules/arch/unix/mod_unixd.c#L236-L248. But the check and the name of that flag is there for a reason.
I am not adding setuid()
to mod_authnz_pam because permissions needed to serve a specific directory or file have nothing to do with authentication happening via PAM, that is a general issue as I tried to explain above.
maybe we could launch a new deamon project for webdav. but now we could try it based on httpd/apache.
0001-httpd-allow-root.patch 0001-mod_authnz_pam-setuid.patch
pam_modutil_getpwnam() will cause CPU 100%, any help?
http.conf for webdav and mod_authnz_pam
alias /webdav "/mnt/test"
<Location /webdav>
Options +Indexes
Dav on
AuthName "Login"
AuthType Basic
AuthBasicProvider PAM
AuthPAMService sshd
Require valid-user
</Location>
When I replace 'pam_modutil_getpwnam()' with 'getpwnam()', it seems to work. but we need better solution to support session feature?
Hi,
a option to setuid() after PAM sucessfully?
there are 2 cases to use mod_authnz_pam, 1) we use it for authn only we can run httpd with apache account. we need some help form #12
2) we use it for authz too? such as when create a new file with webdav? we need run httpd with root account.
Best regards