I have two questions about using Nginx's auth_pam module to allow HTTPS authorization for a particular group as per their system credentials.
I've added the following to nginx's configuration file:
Code:
location /pamtest/ {
auth_pam "Test Zone";
auth_pam_service_name "nginx";
try_files $uri $uri/ =404;
}
Then in /etc/pam.d/nginx:
Code:
@include common-auth
@include common-account
@include common-password
@include common-session
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/pam.d/nginx.group.allowed
Then in the file /etc/pam.d/nginx.group.allowed, I have listed the groups allowed to log in via HTTPS. All that works, but leaves me worried:
1) The first question is if there is another way to deal with the groups. PAM does not seem to have any module that directly deals with groups and pam_listfile.so seems to be a little complicated. Is there a simpler way to have PAM authorize per system group?
2) The second question is if there is a way to avoid having the nginx user be a member of the group shadow? It seems necessary because that setup seems to use /etc/shadow. The context is that I was looking at webmin and realised that not only do I only need two of its functions but that whole circus runs as root and I won't run my scripts as root. Maybe if I have the script under FastCGI or CGI then I can use some method to launch the scripts as something other than www-data. Maybe it is easier in Apache2.
Code:
$ ps -p $(pgrep -f webmin) -o 'user,cmd'
USER CMD
root /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf