Public bug reported: Binary package hint: pwauth
Only the www-data is authorized to use pwauth. This prevent pwauth from being used by any other applications. pwauth's permission are set at compile time in it config.h file. The packaging patches this file to restrict access to only user to www-data (id 33). The comment in the config.h suggest another option to control pwauth acess to avoid re-recompilation: The second option is to create a special group, called something like "pwauth" for user id's that are allowed to run pwauth. To do this, you should compile pwauth with the SERVER_UIDS variable UNDEFINED. This will disable the runtime uid check. Then, when you install the pwauth program, set it's group ownership to the "pwauth" group, and permit it so that only the owner and the group can run it. Do not permit it to be executable to others. This has the advantage of not requiring a recompile if you want to change the uid list. Could the packaging use this option, create a pwauth group and add the www-data user to this group. This will allow other daemons and applications. As a use case for the change, the Jenkins CI server (http://jenkins- ci.org/- supports pwauth via a plugin (http://wiki.jenkins- ci.org/display/JENKINS/pwauth). When installed from the upstream .deb package, jenkins run as the jenkins user. This prevent it to use pwauth because pwauth is configured to be only accessible to the www-data user. ** Affects: pwauth (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/720686 Title: Only www-data can use pwauth -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
