Re: authenticate via cgi-bin

++valdez

Seriously mce any solution you reach is probably going to be the least worst of a bad bunch. My thoughts were to have a local daemon running as root - and let your cgi script use some kind of IPC to talk to it. I suppose it's a pseudo system_auth proxy. This is rather more complicated than valdez's solution, but it should be said that having your cgi read the hashed passwords itself is begging to be exploited by one of many vulnerabilities that permit clients to see script source or god forbid fiddle with the file itself.

Whatever ideas you come up with, exercise caution.

I can't believe it's not psellchecked

Comment on Re: authenticate via cgi-bin

Replies are listed 'Best First'.
Re: Re: authenticate via cgi-bin by mce (Curate) on Jan 07, 2003 at 12:23 UTC
Hi, First, I cannot change the apache configuration, so I cannot play around with mod_auth. Second, why write a daemon if you already have them: ftp, telnet, rlogin, etc... . I know what I am doing. My code is quite secure and well tainted. Is there less harm in finding out passwords of Mysql, htpasswd etc, than there is of system accounts? It all depends on the setup and what you want to do. --------------------------- Dr. Mark Ceulemans Senior Consultant IT Masters, Belgium	[reply]
Re: Re: Re: authenticate via cgi-bin by submersible_toaster (Chaplain) on Jan 07, 2003 at 12:43 UTC
erm... mod_auth , don't recall mentioning it. Second, why write a daemon if you already have them: ftp, telnet, rlogin, etc... . What can I say but ,why write a cgi with authentication when there are daemons that support auth to /etc/shadow like rlogin... oh that's right this is a web application. My gist was that whilst your cgi gets called on demand by apache, you can have an entirely different and non-cgi accessible script that runs as root , hence has carte-blanche over things like getpwbyname that are simply unavailable to for instance - the apache user. I do not for a minute suggest that you don't know what you are doing. I am pleased your code is quite secure and well tainted. Is there less harm in finding out passwords of Mysql, htpasswd etc, than there is of system accounts? Obviously none are desirable, but owning a system account gives rise to far more possibilities for harming that particular system IMHO. I can't believe it's not psellchecked	[reply]