using /etc/shadow with mod_auth_pam

The problem

The normal problem with accessing a shadow password file from Apache is that that the shadow password file is not readable to everyone, so Apache can't read it.

The wrong solution

Some smart-ass suggested making the shadow password file readable for everyone so that Apache can read it again. Don't do that! The whole point of having a shadow password file is limiting access to some well known services (root, that is), so that hackers are prevented from running a password-cracker over it. With that in mind, note that the real solution presented below somewhat weakens that protection, but its nowhere as unsafe as making the whole file readable to everyone (shudder).

The solution (well, sort of)

A solution for making only Apache able to read the password shadow file is chgrp'ing the shadow password file to some new group (for example "shadow-readers"), then placing this line into your httpd.conf:

Group shadow-readers After that, Apache (and only Apache) will be able to read your shadow password file.

Things to keep in mind

By following the above steps, your are delibaretely weakening your system security, albeit only a little. Be sure to understand what you do. If in doubt, don't do it.