Security – Is giving read permissions on /etc/shadow to apache user a wise decision from security point of view


I have to use PAM authentication for DAV SVN, but when everything is configured as specified in mod_auth_pam documentation, authentication does not work. After some research I realized, that for this to work, httpd should be running under root user (which I don't like and won't implement) or apache user (under which httpd is running by default) should have permissions to read /etc/shadow file.
So there is a pair of questions connected to each other which I want to ask:

  1. Is giving this permition to apache user a wise decision from security point of view?
  2. If answer to the first question is "yes", what is the correct way to do so?

For now I've done following:

groupadd shadow
usermod -G shadow apache
chmod g+r /etc/shadow

Another way I can come up with is using acl:

setfacl -m u:apache:r /etc/shadow

OS is Fedora 14 x86_64 (kernel:

httpd v2.2.17

mod_auth_pam v1.1.1

Best Answer

No, you should never, ever give a public-accessible service like Apache access to /etc/shadow.

Instead of mod_auth_pam, you could try to use mod_auth_external in conjunction with pwauth.

Related Topic