Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 166542
Summary: | Review Request: mod_auth_pam: PAM authentication module for Apache | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ignacio Vazquez-Abrams <ivazqueznet> |
Component: | Package Review | Assignee: | Aurelien Bompard <gauret> |
Status: | CLOSED NEXTRELEASE | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | avi, fedora-extras-list, lesmikesell, rdieter |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://pam.sourceforge.net/mod_auth_pam/ | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-28 17:42:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 163779 |
Description
Ignacio Vazquez-Abrams
2005-08-23 05:09:24 UTC
Looks good (very close to what I've been using). Now, pam is a dark-art and mysterious black-box to me most of the time (so my understanding and suggestion my be way off-base), but, I'd suggest replacing the sample pam.d/httpd containing: #%PAM-1.0 auth required /lib/security/pam_unix.so account required /lib/security/pam_unix.so with #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth so that mod_auth_pam uses whatever has been configured via system-config-auth. Worth mentioning too that the /lib/security/*.so lines won't work on x86_64 where those are in /lib64/security/ instead, so yes, fixing those lines is required. Updated. * Please use "install -p" to preserve timestamps * Change the Requires line to: Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel) as in the PHP package, it causes an error in mock. * If you want, you can use a dist tag. * Is the License tag correct ? I know you have included the full text of the license, but maybe the License tag should be "Distributable", (which is what we use when we mean "look at the LICENSE file") * please prefix the additional sources with mod_auth_pam- for those who have a common SOURCES dir (as in the default rpm setup). Updated. The requires httpd-mmn lines stills kills mock. In the file root.log: /sbin/runuser -c 'rpm -Uvh --nodeps /builddir/build/originals/mod_auth_pam-1.1.1-1.src.rpm' mockbuild mod_auth_pam warning: user ignacio does not exist - using root warning: group ignacio does not exist - using root [...] warning: group ignacio does not exist - using root ####### error: line 16: Version required: Requires: httpd-mmn = The reason is that when mock installs the srpm, httpd is not yet installed, but the spec file is parsed. You have to add some kind of "|| true" parachute to the line, as done in the php package. One option to consider is: #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_permit.so as a variation that will allow web access to anyone that can authenticate to pam even if they don't otherwise have an account set up. This can be used, for example. with smb authentication against a windows domain and will permit anyone in the domain to use web services even if they can't log into the machine services that require an account (and unlike winbindd, smb doesn't create one). (In reply to comment #6) Updated. (In reply to comment #7) I added a little note to the PAM config about this. One last thing : /usr/share/doc/mod_auth_pam-1.1.1/COPYING is set executable. Whoops. Updated. Review for release 1: * RPM name is OK * Source mod_auth_pam-2.0-1.1.1.tar.gz is the same as upstream * Builds fine in mock * rpmlint of mod_auth_pam looks OK * File list of mod_auth_pam looks OK * Works fine. Built for FC4 and devel. |