su to user in a cgi script

zentara has asked for the wisdom of the Perl Monks concerning the following question:

Hi, As most of us know, when you run a cgi script, you running as wwwrun or nobody. I was wondering if it was possible to somehow take the username and password thru a form, and su to the user thru a system (su user) and expect (maybe having to fork?). I have an outline of a script, but I'm stumped as how to proceed once I get the username and password. Is it possible to do this without a setuid script or using suexec?

#!/usr/bin/perl
use CGI 'cgi';
print "Content-type: text/html\n\n";

my $cgi= new CGI;
my %input= $cgi -> Vars();
$user= $input{'user'};
$pass= $input{'password'};
$action= $input{'action'};

my $username = getpwuid $<;

if ($action eq 'Click to Send'){
print "You were $username<br>";
#
##### stumped here ##################
#

print "You are now $username<br>";

}else{
print<<EOHTML;
<form action="http://localhost/~zentara/cgi-bin/su.cgi">
You are now $username<br><br>
<b>Name: </b>
<input type="text" name="user" size=30><br>
<b>Password: </b>
<input type="password" name="password" size=30><br>
<input type="submit" name="action" value="Click to Send">
</form>
EOHTML
}
[download]

Comment on su to user in a cgi script Download Code

Replies are listed 'Best First'.
Re: su to user in a cgi script by Preceptor (Deacon) on Sep 20, 2002 at 18:47 UTC
Think carefully about what you are trying to do. There are some commands that you need elevated privilege to run, however, either a setuid binary, or just changing appropriate access permissions are usually enough. The problem is with most of these, I DO NOT consider them safe enough to run via a web interface. (plaintext password, remote access to system functions. Just say no kids.) -- It's not pessimism if there is a worse option, it's not paranoia when they are and it's not cynicism when you're right.	[reply]
Re: su to user in a cgi script by zigdon (Deacon) on Sep 20, 2002 at 17:07 UTC
What about using sudo? you can then use something like this: `if ($action eq 'Click to Send'){ exec("/path/to/sudo","-u",$user,"/path/to/predetermined/command"); }` [download] This will run the predetermined command as the supplied username. You most defenitly want to use taint here, and probably find a way to do things differently, so that you won't have to mess with the permissions at all. -- Dan	[reply] [d/l]
Re: Re: su to user in a cgi script by Silicon Cactus (Scribe) on Sep 20, 2002 at 17:21 UTC
Don't forget the scariness of passing your passwords plaintext across the wire. <shivers>	[reply]
Re: Re: Re: su to user in a cgi script by virtualsue (Vicar) on Sep 20, 2002 at 18:04 UTC
Agreed! The only way to avoid that would be to set up a elaborate sudoers file which will permit the web user nobody/wwwrun to run a set number of commands as a particular userid w/o a password. Just don't do it. It's a bad idea. If you have a particular task in mind, there is probably a different, more secure way to go about it.	[reply]