Re: Using Unix passwd/shadow to authenticate in perl

I've used this method in the past, and you don't have to deal with having read access to /etc/shadow or special permissions to run other programs that can read the shadow file.

Well, you do run another program with special permissions, and it's called 'ftpd'. Not something I recommend to solve this problem.

The Apache user can do this just fine.

On a properly configured system, there's only one user that can read /etc/shadow, and that's UID 0, aka root. Unless you change the permissions of /etc/shadow, or give the apache user UID 0 (neither of those action is smart), it ain't going to work.

Abigail

Comment on Re: Using Unix passwd/shadow to authenticate in perl

Replies are listed 'Best First'.
Re: Re: Using Unix passwd/shadow to authenticate in perl by DrHyde (Prior) on Sep 26, 2003 at 09:14 UTC
Apache is generally started as root (it needs to be root to bind to a low port, port 80) and changes its effective UID at the earliest opportunity.	[reply]
Re: Using Unix passwd/shadow to authenticate in perl by Abigail-II (Bishop) on Sep 26, 2003 at 09:49 UTC
I know that. But he didn't say "apache", he said "the apache user". When Apache is running as root, it can open /etc/shadow. But then it's running a root, not as "the apache user". Abigail	[reply]
Re: Re: Using Unix passwd/shadow to authenticate in perl by ronzomckelvey (Acolyte) on Sep 26, 2003 at 17:20 UTC
I don't think you you quite understand what I suggested. If you already have FTP enabled (and on 7.2 thats default) why not use it for authenication. Well, you do run another program with special permissions, and it's called 'ftpd'. Not something I recommend to solve this problem. So we should all turn off FTP on our servers? Your not running ftpd with some special permissions, your actually attempting to login to ftp localhost. I'm not saying this is the best method, but it is a perfectly acceptable solution for the Linux world where scripts and other programs are the building blocks for you to use. ronzo	[reply]
Re: Re: Re: Using Unix passwd/shadow to authenticate in perl by bennomatic (Initiate) on Sep 26, 2003 at 21:48 UTC
I don't think you you quite understand what I suggested. If you already have FTP enabled (and on 7.2 thats default) why not use it for authenication. Actually, I've turned off the default (wu-ftpd) FTP daemon because it had some security holes that caused me to get hax0rd by some script kiddies some time ago. I replaced it with VSFTPd which, by all accounts, is supposed to be as bullet-proof as people's passwords. Yeah, that's still a weak point, but it's better than letting anyone with a pre-configured hax0r script break in without even thinking about it. But since I am running an ftpd, I may as well use it!	[reply]
Re: Using Unix passwd/shadow to authenticate in perl by Abigail-II (Bishop) on Sep 26, 2003 at 17:29 UTC
So we should all turn off FTP on our servers? Yes! Any smart sysadmin will turn of FTP services, especially non-anonymous FTP services. Your not running ftpd with some special permissions, your actually attempting to login to ftp localhost. To be able to do that, you got to have something running on the FTP port. That something, which is often called ftpd, has got to read /etc/system. To be able to do so, that something needs special (UID = 0) permissions. Abigail	[reply]
Re: Re: Using Unix passwd/shadow to authenticate in perl by bennomatic (Initiate) on Sep 26, 2003 at 16:56 UTC
Good info. I guess that reconfiguring suexec so that it can act as user 0 would open up too many potential doors, wouldn't it?	[reply]