1## maddy-shadow-helper23External helper binary for interaction with shadow passwords database.4Unlike maddy-pam-helper it supports only local shadow database but it does5not have any C dependencies.67### Installation89maddy-shadow-helper is kinda dangerous binary and should not be allowed to be10executed by everybody but maddy's user. At the same moment it needs to have11access to read-protected files. For this reason installation should be done12very carefully to make sure to not introduce any security "holes".1314#### First method1516```shell17chown maddy: /usr/bin/maddy-shadow-helper18chmod u+x,g-x,o-x /usr/bin/maddy-shadow-helper19```2021Also maddy-shadow-helper needs access to /etc/shadow, one of the ways to provide22it is to set file capability CAP_DAC_READ_SEARCH:23```24setcap cap_dac_read_search+ep /usr/bin/maddy-shadow-helper25```2627#### Second method2829Another, less restrictive is to make it setuid-root (assuming you have both maddy user and group):30```31chown root:maddy /usr/bin/maddy-shadow-helper32chmod u+xs,g+x,o-x /usr/bin/maddy-shadow-helper33```3435#### Third method3637The best way actually is to create `shadow` group and grant access to38/etc/shadow to it and then make maddy-shadow-helper setgid-shadow:39```40groupadd shadow41chown :shadow /etc/shadow42chmod g+r /etc/shadow43chown maddy:shadow /usr/bin/maddy-shadow-helper44chmod u+x,g+xs /usr/bin/maddy-shadow-helper45```4647Pick what works best for you.