pam authentication in python without root privileges
I'm looking for a way to let my python program handle authentication through pam. I'm using http://code.google.com/p/web2py/source/browse/gluon/contrib/pam.py for this, which works out great as long as my python program runs as root which is not ideal to my opinion.
How can I make use of pam for username/password validation without requiring root privs?
Answer
short: use a proper Python PAM implementation, setup PAM properly.
long: In a sane PAM setup, you do not need root privileges. In the end this is one of the things PAM provides, privilege separation.
pam_unix has a way to check the password for you. Seems the PAM implementation of web2py (note, it's from some contrib subdirectory...) is not doing the right thing. Maybe your PAM setup is not correct, which is hard to tell without further information; this also depends heavily on operating system and flavour/distribution.
There are multiple PAM bindings for Python out there (unfortunately nothing in the standard library), use these instead. And for configuration, there are tons of tutorials, find the right one for your system.
old/wrong, don't do this: You do not need to be root, you only need to be able to read /etc/shadow. This file has usually group shadow with read only access. So you simply need to add the user that is running the PAM check in the shadow group.
groupadd <user> shadow should do the trick.