Your message dated Fri, 31 Oct 2008 23:59:10 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#503184: O: libapache2-mod-auth-shadow -- Apache2
module for authentication using shadow
has caused the Debian Bug report #503184,
regarding O: libapache2-mod-auth-shadow -- Apache2 module for authentication
using shadow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
503184: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503184
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: wnpp
Severity: normal
mod_auth_shadow is an Apache module which authenticates against the /
etc/shadow file. You may use this module with a mode 400 root:root /
etc/shadow file, while your web daemons are running under a non-
privileged user. The module includes a separate binary to perform the
password validation, which you are intended to install with setuid/
setgid privileges.
http://mod-auth-shadow.sourceforge.net/
License: GPL
BACKGROUND:
According to the only Debian reference I can found about this package:
http://packages.qa.debian.org/liba/libapache2-mod-auth-shadow.html
this software was packaged and maintained by Jorge Salamero Sanz. He
requested the package to be removed by opening bug #489862, in which
he stated:
libapache2-mod-auth-pam is able to behave like mod-auth-shadow even in
an smarter way using PAM and i barely use this package now.
To my understanding, this is not correct. According to bug report
#246222, libapache2-mod-auth-pam is useless for shadow authentication
without adding user "www-data" to group "shadow", and libapache2-mod-
auth-shadow specifically addressed that fundamental problem with a
setgid binary to perform the validation.
This is immediately apparent from the original description of the
package and its predecessor libapache-mod-auth-shadow:
Description: Apache2 module for authentication using shadow
When performing this task one encounters one fundamental
difficulty: the
/etc/shadow file is supposed to be read/writable only by root.
However,
the webserver is supposed to run under a non-root user, such as www-
data.
.
mod_auth_shadow addresses this difficulty by opening a pipe to an
SGID shadow
program validate, which does the actual validation. When there is a
failure
validate writes an error message to the system log, and waits three
seconds
before exiting. The validate program uses getspnam() so supports
shadow
files and NIS.
I therefore believe the original maintainer should have orphaned this
package, instead of removing it. His sources can be retrieved from the
Ubuntu repositories:
http://packages.ubuntu.com/source/hardy/libapache2-mod-auth-shadow
(And perhaps from Debian archives as well.) Package version 2.1-2
builds fine on my i386 Debian etch system and produces a working
installation. Since there is already a working package, I am not
submitting this as a "Request For Package".
Best regards,
Bruno De Fraine
--- End Message ---
--- Begin Message ---
libapache2-mod-auth-shadow was removed in July, see #489862.
Christoph
--
[EMAIL PROTECTED] | http://www.df7cb.de/
signature.asc
Description: Digital signature
--- End Message ---
