in reply to Unix Authentication

Two ideas for you. First - you could whip something together to take all the existing user:pass hashes in the /etc/passwd or /etc/shadow (wherever your distro puts them) and drop them into a passwd file. Perl and login both use the same crypt scheme to develop those encrypted passwords so verification from there is easy. However this isn't such a hot solution as it requires your web browser having permission to read the passwd file - which means it's similar to posting your /etc/passwd onto the web (or could be similar to...someone would have to find it first). My second idea is to whip together a really quick, really small, suidroot script (I know bad idea - but it's small so it's easy to make secure and it's not going to do anything except read the passwd/shadow file and spit back a 1 or a 0). As I said that script can take input on the command line (the l/p of the user) and can then use that to match against the l/p stored in the existing user account DB (passwd/shadow). Have it return 0 for a failure, 1 for a pass. Call it from your script with backticks and assign the stdout to a variable. Check the variable for a 1 or a 0 and you've got your answer. Without root permissions on the script there are only so many ways out...

-Adam Stanley
Nethosters, Inc.

Replies are listed 'Best First'.
Re: Re: Unix Authentication
by nick (Sexton) on Apr 11, 2001 at 03:16 UTC
    Well,
     
    This was something that first occured to me, however the problem is that, after authentication, the web-script will need to actually 'take on' that users UID/GID etc. and write files in their home directory etc.
     
    This could be that the entire script has to be run as suidroot, or maybe there is a way around it. I'm not sure (thats why I ask).
     
     
    Any other suggestions?
     
     
    ______
      \___ _
       __()_\__
______/     \  \---\__________
            /                 \---\
            |     - Nick...       /
            \_____         __/---/
                 \_________/
[reply]
      To change UID's and GID's, you'll need root perms. You'll also need them for the password checking initially, at least long enough to read the shadow (or perhaps passwd) file. There's really no way of getting around it.

      The object, however, is to do as little as possible as root, and switch immediately to the new UID/EUID GID/EGID combination.

      Changing them is simple to do in Perl (set $<, $>, $(, $) for UID, EUID, GID, and EGID, respectively), so you'll never have to run the entire script as root. Just take care of what you need to do as root early and carefully, and switch as soon as you can.
[reply]

      If you need to run the script as the user who owns it, you will need to have something running as root. You could have a setuid script or you can use the suEXEC features of apache.

      -ben

[reply]

In Section Seekers of Perl Wisdom