[Bug 562146] Re: Integrate nagios users with system ones

Alexander Wirt formorer at debian.org
Fri Apr 23 11:57:12 BST 2010


Speaking with my nagios3 maintainer in debian hat on

> Why www-data would have to read shadow file?
> What about using pam modules?
even libpam needs access to the password hashes. Just by using libpam you don't get magically access to them. 
Citing from libapache2-mod-auth-pam package:
  To use with standard Debian configuration you have to add "www-data" user to
  "shadow" group. Be careful! It means it can be readable by anyone who can run
  its own CGI script!

> With that - authentication could use not only local user database, but also ldap, or either mechanism...
The bug is talking about default setups and giving www-data access to shadow is really part for nightmares. 

So speaking for Debian, this will never happen. And if Ubuntu adds this
by default they are are creating a big security problem. In times of
rainbow tables password hashes are not really secure.

And looking the nagios sources is stupid. Using apache auth is the most
flexible way Nagios can go and I doubt that any of the Nagios devs will
change this for Nagios-Core.

-- 
Integrate nagios users with system ones
https://bugs.launchpad.net/bugs/562146
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nagios3 in ubuntu.



More information about the Ubuntu-server-bugs mailing list