Debian Bug report logs - #503184
RFP: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Bruno De Fraine <bruno@defraine.net>

Date: Thu, 23 Oct 2008 10:00:02 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#503184; Package wnpp. (Thu, 23 Oct 2008 10:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bruno De Fraine <bruno@defraine.net>:
New Bug report received and forwarded. Copy sent to <wnpp@debian.org>. (Thu, 23 Oct 2008 10:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bruno De Fraine <bruno@defraine.net>
To: submit@bugs.debian.org
Subject: O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow
Date: Thu, 23 Oct 2008 11:33:03 +0200
Package: wnpp
Severity: normal

mod_auth_shadow is an Apache module which authenticates against the / 
etc/shadow file. You may use this module with a mode 400 root:root / 
etc/shadow file, while your web daemons are running under a non- 
privileged user. The module includes a separate binary to perform the  
password validation, which you are intended to install with setuid/ 
setgid privileges.

http://mod-auth-shadow.sourceforge.net/

License: GPL

BACKGROUND:

According to the only Debian reference I can found about this package:

  http://packages.qa.debian.org/liba/libapache2-mod-auth-shadow.html

this software was packaged and maintained by Jorge Salamero Sanz. He  
requested the package to be removed by opening bug #489862, in which  
he stated:

> libapache2-mod-auth-pam is able to behave like mod-auth-shadow even in
> an smarter way using PAM and i barely use this package now.


To my understanding, this is not correct. According to bug report  
#246222, libapache2-mod-auth-pam is useless for shadow authentication  
without adding user "www-data" to group "shadow", and libapache2-mod- 
auth-shadow specifically addressed that fundamental problem with a  
setgid binary to perform the validation.

This is immediately apparent from the original description of the  
package and its predecessor libapache-mod-auth-shadow:

> Description: Apache2 module for authentication using shadow
>  When performing this task one encounters one fundamental  
> difficulty: the
>  /etc/shadow file is supposed to be read/writable only by root.  
> However,
>  the webserver is supposed to run under a non-root user, such as www- 
> data.
>  .
>  mod_auth_shadow addresses this difficulty by opening a pipe to an  
> SGID shadow
>  program validate, which does the actual validation. When there is a  
> failure
>  validate writes an error message to the system log, and waits three  
> seconds
>  before exiting. The validate program uses getspnam() so supports  
> shadow
>  files and NIS.

I therefore believe the original maintainer should have orphaned this  
package, instead of removing it. His sources can be retrieved from the  
Ubuntu repositories:

  http://packages.ubuntu.com/source/hardy/libapache2-mod-auth-shadow

(And perhaps from Debian archives as well.) Package version 2.1-2  
builds fine on my i386 Debian etch system and produces a working  
installation. Since there is already a working package, I am not  
submitting this as a "Request For Package".

Best regards,
Bruno De Fraine





Reply sent to Christoph Berg <myon@debian.org>:
You have taken responsibility. (Fri, 31 Oct 2008 23:00:03 GMT) Full text and rfc822 format available.

Notification sent to Bruno De Fraine <bruno@defraine.net>:
Bug acknowledged by developer. (Fri, 31 Oct 2008 23:00:03 GMT) Full text and rfc822 format available.

Message #10 received at 503184-done@bugs.debian.org (full text, mbox):

From: Christoph Berg <myon@debian.org>
To: 503184-done@bugs.debian.org
Subject: Re: Bug#503184: O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow
Date: Fri, 31 Oct 2008 23:59:10 +0100
[Message part 1 (text/plain, inline)]
libapache2-mod-auth-shadow was removed in July, see #489862.

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Bruno De Fraine <bruno@defraine.net> to control@bugs.debian.org. (Sat, 01 Nov 2008 10:42:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#503184; Package wnpp. (Sat, 01 Nov 2008 11:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bruno De Fraine <bruno@defraine.net>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. (Sat, 01 Nov 2008 11:06:06 GMT) Full text and rfc822 format available.

Message #17 received at 503184@bugs.debian.org (full text, mbox):

From: Bruno De Fraine <bruno@defraine.net>
To: 503184@bugs.debian.org
Subject: Re: Bug#503184 closed by Christoph Berg <myon@debian.org> (Re: Bug#503184: O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow)
Date: Sat, 1 Nov 2008 11:53:11 +0100
As explained in my message, I am aware that the original maintainer  
removed this package with bug #489862, but I disagree with that  
decision: mod_auth_shadow provided functionality for which there is  
currently no good alternative in Debian. I think he should have  
orphaned his package instead.




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#503184; Package wnpp. (Sat, 01 Nov 2008 11:36:03 GMT) Full text and rfc822 format available.

Message #20 received at 503184@bugs.debian.org (full text, mbox):

From: Christoph Berg <myon@debian.org>
To: Bruno De Fraine <bruno@defraine.net>
Cc: control@bugs.debian.org, 503184@bugs.debian.org
Subject: Re: Bug#503184 closed by Christoph Berg <myon@debian.org> (Re: Bug#503184: O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow)
Date: Sat, 1 Nov 2008 12:34:44 +0100
[Message part 1 (text/plain, inline)]
retitle 503184 RFP: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow
thanks

Re: Bruno De Fraine 2008-11-01 <B6F4BACD-475F-48DE-8CA7-23913A1373BB@defraine.net>
> reopen 503184
> thanks
>
> As explained in my message, I am aware that the original maintainer  
> removed this package with bug #489862, but I disagree with that  
> decision: mod_auth_shadow provided functionality for which there is  
> currently no good alternative in Debian. I think he should have orphaned 
> his package instead.

Ok, but the bug title is/was still wrong.

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to `RFP: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow' from `O: libapache2-mod-auth-shadow -- Apache2 module for authentication using shadow'. Request was from Christoph Berg <myon@debian.org> to control@bugs.debian.org. (Sat, 01 Nov 2008 11:36:04 GMT) Full text and rfc822 format available.

Severity set to `wishlist' from `normal' Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Thu, 20 Nov 2008 22:06:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#503184; Package wnpp. (Fri, 15 May 2009 14:27:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bruno De Fraine <bruno@defraine.net>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. (Fri, 15 May 2009 14:27:11 GMT) Full text and rfc822 format available.

Message #29 received at 503184@bugs.debian.org (full text, mbox):

From: Bruno De Fraine <bruno@defraine.net>
To: Devrim Yasar <devrim@payms.com>
Cc: 503184@bugs.debian.org
Subject: Re: libapache2-mod-auth-shadow
Date: Fri, 15 May 2009 16:18:00 +0200
Hello Devrim,

You should be able to compile the package yourself with the following  
commands:

# Download sources from the Ubuntu archive
wget "http://archive.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-auth-shadow/libapache2-mod-auth-shadow_2.1.orig.tar.gz 
"
wget "http://archive.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-auth-shadow/libapache2-mod-auth-shadow_2.1-2.diff.gz 
"

# Unpack the sources
tar -zxvf libapache2-mod-auth-shadow_2.1.orig.tar.gz
zcat libapache2-mod-auth-shadow_2.1-2.diff.gz | patch -p0

# Install all the build dependencies
sudo apt-get install dpkg-dev debhelper devscripts fakeroot
sudo apt-get install dpatch apache2-threaded-dev

# Step into the directory and build
cd libapache2-mod-auth-shadow-2.1/
debuild -us -uc
cd ..

# Install the package
sudo dpkg -i libapache2-mod-auth-shadow_2.1-2_i386.deb


Best regards,
Bruno


On 15 May 2009, at 14:46, Devrim Yasar wrote:

> Hi Bruno,
>
> I saw your posts on debian forum, and i need this module to create  
> digest authorization on apache. And this module is still not  
> available. How could you solve your problem?
>
> Thanks,
> Devrim
>
> retitle 503184 RFP: libapache2-mod-auth-shadow -- Apache2 module for  
> authentication using shadow
> thanks
>
> Re: Bruno De Fraine 2008-11-01 <B6F4BACD-475F-48DE-8CA7-23913A1373BB@defraine.net 
> >
> > reopen 503184
> > thanks
> >
> > As explained in my message, I am aware that the original maintainer
> > removed this package with bug #489862, but I disagree with that
> > decision: mod_auth_shadow provided functionality for which there is
> > currently no good alternative in Debian. I think he should have  
> orphaned
> > his package instead.
>
> Ok, but the bug title is/was still wrong.
>
> Christoph
> -- 
> cb@df7cb.de | http://www.df7cb.de/
>
>





Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#503184; Package wnpp. (Wed, 17 Feb 2010 01:00:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Arcady Genkin" <agenkin@cdf.toronto.edu>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 17 Feb 2010 01:00:10 GMT) Full text and rfc822 format available.

Message #34 received at 503184@bugs.debian.org (full text, mbox):

From: "Arcady Genkin" <agenkin@cdf.toronto.edu>
To: 503184@bugs.debian.org
Subject: Please include libapache2-mod-auth-shadow as a Debian package
Date: 16 Feb 2010 19:52:45 -0500
Here is another wish for inclusion of mod_auth_shadow as a Debian
package.  It is not too hard to compile it ourselves, but it would be
super nice to have it maintained by Debian.
-- 
Arcady Genkin




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:33:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.