When performing this task one encounters one fundamental difficulty: the /etc/shadow file is supposed to be read/writable only by root. However, the webserver is supposed to run under a non-root user, such as www-data. . mod_auth_shadow addresses this difficulty by opening a pipe to an SGID shadow program validate, which does the actual validation. When there is a failure validate writes an error message to the system log, and waits three seconds before exiting. The validate program uses getspnam() so supports shadow files and NIS.
