Using getpwnam() with CGI

Discussion in 'Perl Misc' started by Jason Williard, Apr 23, 2005.

  1. I am trying to create a script to install spam filters on a per user
    basis.
    The script will have a web UI where the user should be able to login
    and
    enable or disable the filters. My original script, which was a
    command-line
    perl script, used User::pwent getpwnam() to get the user's encrypted
    password from the shadow file and compare it with the encrypted
    password
    that the user submitted. This worked perfectly. Unfortunately, when I
    run
    it from a command line, the passwd object passed by getpwnam() is
    always 'x'
    which it is grabbing from the passwd file. Does anyone know how I can
    fix
    this?

    Here are the important parts of the code:

    #!/usr/bin/suidperl -U
    $current_id = $<; #get the current user id
    my($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell) =
    getpwnam("root"); #get user nobody's details
    $< = $uid;

    use User::pwent;
    use CGI qw:)standard);
    use CGI::Carp qw(fatalsToBrowser);

    sub authUser {
    # set sub variables
    my($username,$userpass,$password) = @_;
    if ( crypt($password,$userpass) eq $userpass ) {
    return 1;
    } else {
    return 0;
    }
    }

    ....

    # Set UserInfo
    my $user = getpwnam($mailbox);
    my $username = $user->name;
    my $userpass = $user->passwd;
    my $userdir = $user->dir;
    my $useruid = $user->uid;
    my $usergid = $user->gid;


    ---
    Thanks,
    Jason Williard
    Jason Williard, Apr 23, 2005
    #1
    1. Advertising

  2. Jason Williard

    Vorxion Guest

    In article <>, Jason
    Williard wrote:
    >it from a command line, the passwd object passed by getpwnam() is always
    >'x' which it is grabbing from the passwd file. Does anyone know how I can
    >fix this?


    Running it as root is your only option. http://cgiwrap.unixtools.org/
    Be sure you know what you're doing.

    --
    Vorxion - Founder of the knocking-shop of the mind.

    "You have it, you sell it, you've still got it--what's the difference?"
    --Diana Trent, "Waiting for God", on why a modelling agency is really a
    knocking-shop. Applied by me to the field of consulting. :)

    The Sci-Fi fan's solution to debt: Reverse the polarity on your charge card.
    Vorxion, Apr 24, 2005
    #2
    1. Advertising

  3. On Sat, 22 Apr 2005, Jason Williard wrote (reflowed to usenet
    conventions):

    > I am trying to create a script to install spam filters on a per user
    > basis. The script will have a web UI where the user should be able
    > to login and enable or disable the filters. My original script,
    > which was a command-line perl script, used User::pwent getpwnam() to
    > get the user's encrypted password from the shadow file and compare
    > it with the encrypted password that the user submitted.


    This has nothing specific to do with the Perl language, but... Keeping
    crypted passwords in a shadow file is a valuable security measure.
    By contrast, asking users to type-in their login password to a web
    page is, in general, a dangerous practice. Let's hope you're at least
    briefing them *never* to type their password without verifying that
    they have a secure (https) channel, with verified certificate, to
    *your* server.

    > This worked perfectly. Unfortunately, when I run it from a command
    > line, the passwd object passed by getpwnam() is always 'x' which it
    > is grabbing from the passwd file. Does anyone know how I can fix
    > this?


    The whole point of shadow passwords is that they're hidden from
    unprivileged processes.

    The "clean" way to deal with this in Linux is to use the Linux-PAM
    API. Other OSes should offer equivalent mechanisms.

    Trying to program this directly yourself with root privs from a CGI
    process opens up vast security holes, IMHO. And takes away
    flexibility if you ever want to restructure your authentication
    scheme. Take a look on CPAN for PAM authentication module.
    Alan J. Flavell, Apr 24, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Thomas Keller

    Problem with getpwnam() syscall

    Thomas Keller, Jan 19, 2004, in forum: Perl
    Replies:
    1
    Views:
    1,364
    Joe Smith
    Jan 20, 2004
  2. Jason Williard

    Using getpwnam() with CGI

    Jason Williard, Apr 22, 2005, in forum: Perl
    Replies:
    0
    Views:
    2,703
    Jason Williard
    Apr 22, 2005
  3. gga
    Replies:
    1
    Views:
    275
    Daniel Berger
    Mar 8, 2005
  4. Thomas Keller

    Problem with getpwnam() syscall

    Thomas Keller, Jan 20, 2004, in forum: Perl Misc
    Replies:
    5
    Views:
    170
    Ben Morrow
    Jan 20, 2004
  5. perlUSER

    getpwnam question

    perlUSER, Nov 25, 2005, in forum: Perl Misc
    Replies:
    3
    Views:
    145
    Anno Siegel
    Nov 29, 2005
Loading...

Share This Page