Speaking with my nagios3 maintainer in debian hat on > Why www-data would have to read shadow file? > What about using pam modules? even libpam needs access to the password hashes. Just by using libpam you don't get magically access to them. Citing from libapache2-mod-auth-pam package: To use with standard Debian configuration you have to add "www-data" user to "shadow" group. Be careful! It means it can be readable by anyone who can run its own CGI script!
> With that - authentication could use not only local user database, but also > ldap, or either mechanism... The bug is talking about default setups and giving www-data access to shadow is really part for nightmares. So speaking for Debian, this will never happen. And if Ubuntu adds this by default they are are creating a big security problem. In times of rainbow tables password hashes are not really secure. And looking the nagios sources is stupid. Using apache auth is the most flexible way Nagios can go and I doubt that any of the Nagios devs will change this for Nagios-Core. -- Integrate nagios users with system ones https://bugs.launchpad.net/bugs/562146 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
