1## maddy-pam-helper23External setuid binary for interaction with shadow passwords database or other4privileged objects necessary to run PAM authentication.56### Building78It is really easy to build it using any GCC:9```10gcc pam.c main.c -lpam -o maddy-pam-helper11```1213Yes, it is not a Go binary.141516### Installation1718maddy-pam-helper is kinda dangerous binary and should not be allowed to be19executed by everybody but maddy's user. At the same moment it needs to have20access to read-protected files. For this reason installation should be done21very carefully to make sure to not introduce any security "holes".2223#### First method2425```shell26chown maddy: /usr/bin/maddy-pam-helper27chmod u+x,g-x,o-x /usr/bin/maddy-pam-helper28```2930Also maddy-pam-helper needs access to /etc/shadow, one of the ways to provide31it is to set file capability CAP_DAC_READ_SEARCH:32```33setcap cap_dac_read_search+ep /usr/bin/maddy-pam-helper34```3536#### Second method3738Another, less restrictive is to make it setuid-root (assuming you have both maddy user and group):39```40chown root:maddy /usr/bin/maddy-pam-helper41chmod u+xs,g+x,o-x /usr/bin/maddy-pam-helper42```4344#### Third method4546The best way actually is to create `shadow` group and grant access to47/etc/shadow to it and then make maddy-pam-helper setgid-shadow:48```49groupadd shadow50chown :shadow /etc/shadow51chmod g+r /etc/shadow52chown maddy:shadow /usr/bin/maddy-pam-helper53chmod u+x,g+xs /usr/bin/maddy-pam-helper54```5556Pick what works best for you.5758### PAM service5960maddy-pam-helper uses custom service instead of pretending to be su or sudo.61Because of this you should configure PAM to accept it.6263Minimal example using local passwd/shadow database for authentication can be64found in [maddy.conf][maddy.conf] file.65It should be put into /etc/pam.d/maddy.