Bug 166542 - Review Request: mod_auth_pam: PAM authentication module for Apache
Review Request: mod_auth_pam: PAM authentication module for Apache
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Aurelien Bompard
David Lawrence
http://pam.sourceforge.net/mod_auth_pam/
:
Depends On:
Blocks: FE-ACCEPT
  Show dependency treegraph
 
Reported: 2005-08-23 01:09 EDT by Ignacio Vazquez-Abrams
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-28 13:42:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ignacio Vazquez-Abrams 2005-08-23 01:09:24 EDT
Spec Name or Url: http://fedora.ivazquez.net/files/extras/mod_auth_pam.spec
SRPM Name or Url: http://fedora.ivazquez.net/files/extras/mod_auth_pam-1.1.1-1.src.rpm
Description: The PAM authentication module implements Basic authentication on top of the Pluggable Authentication Module library. Thereby it supports standard unix passwd, shadow, NIS, SMB auth and radius authentication transparently and easily interchangeable, wherever the HTTP protocol allows it.
Comment 1 Rex Dieter 2005-08-23 07:57:55 EDT
Looks good (very close to what I've been using).  
 
Now, pam is a dark-art and mysterious black-box to me most of the time (so my 
understanding and suggestion my be way off-base), but, I'd suggest replacing 
the sample pam.d/httpd containing: 
#%PAM-1.0 
auth       required     /lib/security/pam_unix.so 
account    required     /lib/security/pam_unix.so 
 
with 
#%PAM-1.0 
auth       required     pam_stack.so service=system-auth 
account    required     pam_stack.so service=system-auth 
 
so that mod_auth_pam uses whatever has been configured via system-config-auth. 
Comment 2 Matthias Saou 2005-08-23 08:04:50 EDT
Worth mentioning too that the /lib/security/*.so lines won't work on x86_64
where those are in /lib64/security/ instead, so yes, fixing those lines is required.
Comment 3 Ignacio Vazquez-Abrams 2005-08-23 12:18:11 EDT
Updated.
Comment 4 Aurelien Bompard 2005-09-02 12:58:43 EDT
* Please use "install -p" to preserve timestamps
* Change the Requires line to:
Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)
 as in the PHP package, it causes an error in mock.
* If you want, you can use a dist tag.
* Is the License tag correct ? I know you have included the full text of the
license, but maybe the License tag should be "Distributable", (which is what we
use when we mean "look at the LICENSE file")
* please prefix the additional sources with mod_auth_pam- for those who have a
common SOURCES dir (as in the default rpm setup).
Comment 5 Ignacio Vazquez-Abrams 2005-09-03 17:12:58 EDT
Updated.
Comment 6 Aurelien Bompard 2005-09-04 06:02:26 EDT
The requires httpd-mmn lines stills kills mock. In the file root.log:
/sbin/runuser -c 'rpm -Uvh --nodeps
/builddir/build/originals/mod_auth_pam-1.1.1-1.src.rpm' mockbuild
mod_auth_pam                warning: user ignacio does not exist - using root
warning: group ignacio does not exist - using root
[...]
warning: group ignacio does not exist - using root
#######
error: line 16: Version required: Requires:       httpd-mmn =

The reason is that when mock installs the srpm, httpd is not yet installed, but
the spec file is parsed. You have to add some kind of "|| true" parachute to the
line, as done in the php package.
Comment 7 Les Mikesell 2005-09-09 12:35:43 EDT
One option to consider is:

#%PAM-1.0 
auth       required     pam_stack.so service=system-auth 
account    required     pam_permit.so

as a variation that will allow web access to anyone that can authenticate to pam
even if they don't otherwise have an account set up.   This can be used, for
example. with smb authentication against a windows domain and will permit anyone
in the domain to use web services even if they can't log into the machine
services that require an account (and unlike winbindd, smb doesn't create one).
Comment 8 Ignacio Vazquez-Abrams 2005-09-27 08:17:41 EDT
(In reply to comment #6)

Updated.

(In reply to comment #7)

I added a little note to the PAM config about this.
Comment 9 Aurelien Bompard 2005-09-27 08:52:48 EDT
One last thing : /usr/share/doc/mod_auth_pam-1.1.1/COPYING is set executable.
Comment 10 Ignacio Vazquez-Abrams 2005-09-27 10:09:26 EDT
Whoops. Updated.
Comment 11 Aurelien Bompard 2005-09-27 10:51:41 EDT
Review for release 1:
* RPM name is OK
* Source mod_auth_pam-2.0-1.1.1.tar.gz is the same as upstream
* Builds fine in mock
* rpmlint of mod_auth_pam looks OK
* File list of mod_auth_pam looks OK
* Works fine.
Comment 12 Ignacio Vazquez-Abrams 2005-09-28 13:42:07 EDT
Built for FC4 and devel.

Note You need to log in before you can comment on or make changes to this bug.