Using getpwnam() with CGI

J

Jason Williard

I am trying to create a script to install spam filters on a per user
basis.
The script will have a web UI where the user should be able to login
and
enable or disable the filters. My original script, which was a
command-line
perl script, used User::pwent getpwnam() to get the user's encrypted
password from the shadow file and compare it with the encrypted
password
that the user submitted. This worked perfectly. Unfortunately, when I
run
it from a command line, the passwd object passed by getpwnam() is
always 'x'
which it is grabbing from the passwd file. Does anyone know how I can
fix
this?

Here are the important parts of the code:

#!/usr/bin/suidperl -U
$current_id = $<; #get the current user id
my($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell) =
getpwnam("root"); #get user nobody's details
$< = $uid;

use User::pwent;
use CGI qw:)standard);
use CGI::Carp qw(fatalsToBrowser);

sub authUser {
# set sub variables
my($username,$userpass,$password) = @_;
if ( crypt($password,$userpass) eq $userpass ) {
return 1;
} else {
return 0;
}
}

....

# Set UserInfo
my $user = getpwnam($mailbox);
my $username = $user->name;
my $userpass = $user->passwd;
my $userdir = $user->dir;
my $useruid = $user->uid;
my $usergid = $user->gid;
 
V

Vorxion

it from a command line, the passwd object passed by getpwnam() is always
'x' which it is grabbing from the passwd file. Does anyone know how I can
fix this?

Running it as root is your only option. http://cgiwrap.unixtools.org/
Be sure you know what you're doing.

--
Vorxion - Founder of the knocking-shop of the mind.

"You have it, you sell it, you've still got it--what's the difference?"
--Diana Trent, "Waiting for God", on why a modelling agency is really a
knocking-shop. Applied by me to the field of consulting. :)

The Sci-Fi fan's solution to debt: Reverse the polarity on your charge card.
 
A

Alan J. Flavell

I am trying to create a script to install spam filters on a per user
basis. The script will have a web UI where the user should be able
to login and enable or disable the filters. My original script,
which was a command-line perl script, used User::pwent getpwnam() to
get the user's encrypted password from the shadow file and compare
it with the encrypted password that the user submitted.

This has nothing specific to do with the Perl language, but... Keeping
crypted passwords in a shadow file is a valuable security measure.
By contrast, asking users to type-in their login password to a web
page is, in general, a dangerous practice. Let's hope you're at least
briefing them *never* to type their password without verifying that
they have a secure (https) channel, with verified certificate, to
*your* server.
This worked perfectly. Unfortunately, when I run it from a command
line, the passwd object passed by getpwnam() is always 'x' which it
is grabbing from the passwd file. Does anyone know how I can fix
this?

The whole point of shadow passwords is that they're hidden from
unprivileged processes.

The "clean" way to deal with this in Linux is to use the Linux-PAM
API. Other OSes should offer equivalent mechanisms.

Trying to program this directly yourself with root privs from a CGI
process opens up vast security holes, IMHO. And takes away
flexibility if you ever want to restructure your authentication
scheme. Take a look on CPAN for PAM authentication module.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Members online

Forum statistics

Threads
473,733
Messages
2,569,440
Members
44,830
Latest member
ZADIva7383

Latest Threads

Top