Only www-data can use pwauth
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pwauth (Debian) |
Fix Released
|
Unknown
|
|||
| pwauth (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: pwauth
Only the www-data is authorized to use pwauth. This prevent pwauth from being used by any other applications.
pwauth's permission are set at compile time in it config.h file. The packaging patches this file to restrict access to only user to www-data (id 33). The comment in the config.h suggest another option to control pwauth acess to avoid re-recompilation:
The second option is to create a special group, called something like "pwauth" for user id's that are allowed to run pwauth. To do this, you should compile pwauth with the SERVER_UIDS variable UNDEFINED. This will disable the runtime uid check. Then, when you install the pwauth program, set it's group ownership to the "pwauth" group, and permit it so that only the owner and the group can run it. Do not permit it to be executable to others. This has the advantage of not requiring a recompile if you want to change the uid list.
Could the packaging use this option, create a pwauth group and add the www-data user to this group. This will allow other daemons and applications.
As a use case for the change, the Jenkins CI server (http://
| Changed in pwauth (Ubuntu): | |
| status: | New → Confirmed |
| Changed in pwauth (Debian): | |
| status: | Unknown → Fix Released |
