Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 166542 - Review Request: mod_auth_pam: PAM authentication module for Apache
Summary: Review Request: mod_auth_pam: PAM authentication module for Apache
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Aurelien Bompard
QA Contact: David Lawrence
URL: http://pam.sourceforge.net/mod_auth_pam/
Whiteboard:
Depends On:
Blocks: FE-ACCEPT
TreeView+ depends on / blocked
 
Reported: 2005-08-23 05:09 UTC by Ignacio Vazquez-Abrams
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-28 17:42:07 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ignacio Vazquez-Abrams 2005-08-23 05:09:24 UTC
Spec Name or Url: http://fedora.ivazquez.net/files/extras/mod_auth_pam.spec
SRPM Name or Url: http://fedora.ivazquez.net/files/extras/mod_auth_pam-1.1.1-1.src.rpm
Description: The PAM authentication module implements Basic authentication on top of the Pluggable Authentication Module library. Thereby it supports standard unix passwd, shadow, NIS, SMB auth and radius authentication transparently and easily interchangeable, wherever the HTTP protocol allows it.

Comment 1 Rex Dieter 2005-08-23 11:57:55 UTC
Looks good (very close to what I've been using).  
 
Now, pam is a dark-art and mysterious black-box to me most of the time (so my 
understanding and suggestion my be way off-base), but, I'd suggest replacing 
the sample pam.d/httpd containing: 
#%PAM-1.0 
auth       required     /lib/security/pam_unix.so 
account    required     /lib/security/pam_unix.so 
 
with 
#%PAM-1.0 
auth       required     pam_stack.so service=system-auth 
account    required     pam_stack.so service=system-auth 
 
so that mod_auth_pam uses whatever has been configured via system-config-auth. 

Comment 2 Matthias Saou 2005-08-23 12:04:50 UTC
Worth mentioning too that the /lib/security/*.so lines won't work on x86_64
where those are in /lib64/security/ instead, so yes, fixing those lines is required.

Comment 3 Ignacio Vazquez-Abrams 2005-08-23 16:18:11 UTC
Updated.

Comment 4 Aurelien Bompard 2005-09-02 16:58:43 UTC
* Please use "install -p" to preserve timestamps
* Change the Requires line to:
Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)
 as in the PHP package, it causes an error in mock.
* If you want, you can use a dist tag.
* Is the License tag correct ? I know you have included the full text of the
license, but maybe the License tag should be "Distributable", (which is what we
use when we mean "look at the LICENSE file")
* please prefix the additional sources with mod_auth_pam- for those who have a
common SOURCES dir (as in the default rpm setup).


Comment 5 Ignacio Vazquez-Abrams 2005-09-03 21:12:58 UTC
Updated.

Comment 6 Aurelien Bompard 2005-09-04 10:02:26 UTC
The requires httpd-mmn lines stills kills mock. In the file root.log:
/sbin/runuser -c 'rpm -Uvh --nodeps
/builddir/build/originals/mod_auth_pam-1.1.1-1.src.rpm' mockbuild
mod_auth_pam                warning: user ignacio does not exist - using root
warning: group ignacio does not exist - using root
[...]
warning: group ignacio does not exist - using root
#######
error: line 16: Version required: Requires:       httpd-mmn =

The reason is that when mock installs the srpm, httpd is not yet installed, but
the spec file is parsed. You have to add some kind of "|| true" parachute to the
line, as done in the php package.

Comment 7 Les Mikesell 2005-09-09 16:35:43 UTC
One option to consider is:

#%PAM-1.0 
auth       required     pam_stack.so service=system-auth 
account    required     pam_permit.so

as a variation that will allow web access to anyone that can authenticate to pam
even if they don't otherwise have an account set up.   This can be used, for
example. with smb authentication against a windows domain and will permit anyone
in the domain to use web services even if they can't log into the machine
services that require an account (and unlike winbindd, smb doesn't create one).

Comment 8 Ignacio Vazquez-Abrams 2005-09-27 12:17:41 UTC
(In reply to comment #6)

Updated.

(In reply to comment #7)

I added a little note to the PAM config about this.

Comment 9 Aurelien Bompard 2005-09-27 12:52:48 UTC
One last thing : /usr/share/doc/mod_auth_pam-1.1.1/COPYING is set executable.

Comment 10 Ignacio Vazquez-Abrams 2005-09-27 14:09:26 UTC
Whoops. Updated.

Comment 11 Aurelien Bompard 2005-09-27 14:51:41 UTC
Review for release 1:
* RPM name is OK
* Source mod_auth_pam-2.0-1.1.1.tar.gz is the same as upstream
* Builds fine in mock
* rpmlint of mod_auth_pam looks OK
* File list of mod_auth_pam looks OK
* Works fine.


Comment 12 Ignacio Vazquez-Abrams 2005-09-28 17:42:07 UTC
Built for FC4 and devel.


Note You need to log in before you can comment on or make changes to this bug.