Mailing List Archive: Apache + mod_auth_pam + WebDAV

Apache + mod_auth_pam + WebDAV

Feb 19, 2002, 9:07 AM

Post #1 of 8 (4265 views)

I'm attempting to authenticate certain directories using Linux's PAM
facility. Ideally, we'd like to allow users to edit their
$HOME/public_html directories via WebDAV I'm aware of the security
risks, and we've carefully considered them in light of our situation.

Anyway, I've set up an isolated test-directory and can connect to it via
cadaver, so WebDAV seems to be working. Now, I want to authenticate
users before they can edit files.

My <directory> entry looks like this:
<Directory "/var/www/mod_dav">
DAV on
Options Indexes FollowSymlinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
SetHandler auth_pam-handler
AuthPAM_Enabled on
AuthPAM_FallThrough off
AuthType Basic
AuthName "WebDAV Secure Area"
require valid-user
</Directory>

Whenever I attempt to authenticate a user, the logs/error_log reports:

[Tue Feb 19 10:42:05 2002] [error] (13)Permission denied: access to
/xxxxx/ failed for 127.0.0.1, reason: Critical error - immediate abort
[Tue Feb 19 10:42:05 2002] [crit] [client 127.0.0.1] configuration
error: couldn't check user. No user file?: /xxxxx/

and cadaver reports:
Could not contact server:
500 Internal Server Error

I get the same behavior with DAV disabled.

Any suggestions?

Thanks in advance!
-Luke

--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf
--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache + mod_auth_pam + WebDAV [ In reply to ]

Feb 19, 2002, 9:12 AM

Post #2 of 8 (4187 views)

Luke Scharf wrote:
>
> I'm attempting to authenticate certain directories using Linux's PAM
> facility. Ideally, we'd like to allow users to edit their
> $HOME/public_html directories via WebDAV I'm aware of the security
> risks, and we've carefully considered them in light of our situation.
>
> Anyway, I've set up an isolated test-directory and can connect to it via
> cadaver, so WebDAV seems to be working. Now, I want to authenticate
> users before they can edit files.
>
> My <directory> entry looks like this:
> <Directory "/var/www/mod_dav">
> DAV on
> Options Indexes FollowSymlinks MultiViews
> AllowOverride All
> Order allow,deny
> Allow from all
> SetHandler auth_pam-handler
> AuthPAM_Enabled on
> AuthPAM_FallThrough off
> AuthType Basic
> AuthName "WebDAV Secure Area"
> require valid-user
> </Directory>
>
> Whenever I attempt to authenticate a user, the logs/error_log reports:
>
> [Tue Feb 19 10:42:05 2002] [error] (13)Permission denied: access to
> /xxxxx/ failed for 127.0.0.1, reason: Critical error - immediate abort
> [Tue Feb 19 10:42:05 2002] [crit] [client 127.0.0.1] configuration
> error: couldn't check user. No user file?: /xxxxx/
>

Where is your AuthUserFile? You know, the file with all the users and
passwords?

Rgds,

Owen Boyle

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache + mod_auth_pam + WebDAV [ In reply to ]

Feb 19, 2002, 9:58 AM

Post #3 of 8 (4196 views)

On Wed, 20 Feb 2002 02:12, Owen Boyle wrote:
> Luke Scharf wrote:
> > [Tue Feb 19 10:42:05 2002] [error] (13)Permission denied: access to
> > /xxxxx/ failed for 127.0.0.1, reason: Critical error - immediate abort
> > [Tue Feb 19 10:42:05 2002] [crit] [client 127.0.0.1] configuration
> > error: couldn't check user. No user file?: /xxxxx/
>
> Where is your AuthUserFile? You know, the file with all the users and
> passwords?

I've never used mod_auth_pam but one possibility is that it needs to
access /etc/shadow to get at the password value so apache needs to
run with the same group GID as whatever /etc/shadow is set to.

--markc

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache + mod_auth_pam + WebDAV [ In reply to ]

Feb 19, 2002, 10:51 AM

Post #4 of 8 (4209 views)

On Tue, 2002-02-19 at 11:12, Owen Boyle wrote:
> Where is your AuthUserFile? You know, the file with all the users and
> passwords?

Do you need an AuthUserFile when you're authenticating against PAM? The
reason I'm using mod_auth_pam is so that it will automagically work with
our existing users.

If an AuthUserFile is used, can it use the system password? That way,
the user only need to keep one password from going stale.

Thanks!
-Luke

--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache + mod_auth_pam + WebDAV [ In reply to ]

Feb 19, 2002, 10:55 AM

Post #5 of 8 (4203 views)

On Tue, 2002-02-19 at 11:58, Mark Constable wrote:
> > Where is your AuthUserFile? You know, the file with all the users and
> > passwords?
>
> I've never used mod_auth_pam but one possibility is that it needs to
> access /etc/shadow to get at the password value so apache needs to
> run with the same group GID as whatever /etc/shadow is set to.

The user accounts that we're trying to use are delivered via nisplus.
The encrypted passwords are not in /etc/shadow. PAM stacked on top of
nisplus works great for our mail transfer agent (courier), but the "500
internal server error" has me confused.

-Luke

--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache + mod_auth_pam + WebDAV [ In reply to ]

Feb 19, 2002, 11:39 AM

Post #6 of 8 (4191 views)

On Wed, 20 Feb 2002 03:55, Luke Scharf wrote:
> On Tue, 2002-02-19 at 11:58, Mark Constable wrote:
> > I've never used mod_auth_pam but one possibility is that it needs to
> > access /etc/shadow to get at the password value so apache needs to
> > run with the same group GID as whatever /etc/shadow is set to.
>
> The user accounts that we're trying to use are delivered via nisplus.
> The encrypted passwords are not in /etc/shadow. PAM stacked on top of
> nisplus works great for our mail transfer agent (courier), but the "500
> internal server error" has me confused.

Ah, then check the UID/GID of courier and, at least for a test, make
apache run as the same user as courier. Smells like a perms prob to me.

--markc

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache + mod_auth_pam + WebDAV [ In reply to ]

Feb 19, 2002, 2:03 PM

Post #7 of 8 (4188 views)

On Tue, 2002-02-19 at 13:39, Mark Constable wrote:
> On Wed, 20 Feb 2002 03:55, Luke Scharf wrote:
> > The user accounts that we're trying to use are delivered via nisplus.
> > The encrypted passwords are not in /etc/shadow. PAM stacked on top of
> > nisplus works great for our mail transfer agent (courier), but the "500
> > internal server error" has me confused.
>
> Ah, then check the UID/GID of courier and, at least for a test, make
> apache run as the same user as courier. Smells like a perms prob to me.

This has no effect. I have also tried several configurations for
/etc/pam.d/httpd - everything from permit-all to the same configuration
that works for Courier's imap server to an edited version of
/etc/pam.d/ssh. Any other suggestions?

What has to be in place in order for mod_auth_pam to do it's thing?

Thanks in advance!
-Luke

--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache + mod_auth_pam + WebDAV [ In reply to ]

Feb 21, 2002, 11:38 AM

Post #8 of 8 (4196 views)

On Tue, 2002-02-19 at 16:03, Luke Scharf wrote:
> On Tue, 2002-02-19 at 13:39, Mark Constable wrote:
> > On Wed, 20 Feb 2002 03:55, Luke Scharf wrote:
> > > The user accounts that we're trying to use are delivered via nisplus.
> > > The encrypted passwords are not in /etc/shadow. PAM stacked on top of
> > > nisplus works great for our mail transfer agent (courier), but the "500
> > > internal server error" has me confused.
> >
> > Ah, then check the UID/GID of courier and, at least for a test, make
> > apache run as the same user as courier. Smells like a perms prob to me.
>
> This has no effect. I have also tried several configurations for
> /etc/pam.d/httpd - everything from permit-all to the same configuration
> that works for Courier's imap server to an edited version of
> /etc/pam.d/ssh. Any other suggestions?
>
> What has to be in place in order for mod_auth_pam to do it's thing?

I found the problem. /etc/pam.d/httpd had permissions of 600. When I
change permissions to 644 mod_auth_pam works like a charm!

Thank you all for the suggestions!
-Luke

--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org