If you're using Apache as your webserver,
I suggest you check out the
Apache::AuthenPasswd module.
There are many other Apache:: modules for authenticating
against lots of other types of sources: SQL, LDAP, NIS, etc...
| [reply] |
I'd much rather leave out dependency on the webserver
being used. Although 90% of the people will be using
apache, we don't want to risk excluding others.
| [reply] |
Two ideas for you. First - you could whip something together to take all the existing user:pass hashes in the /etc/passwd or /etc/shadow (wherever your distro puts them) and drop them into a passwd file. Perl and login both use the same crypt scheme to develop those encrypted passwords so verification from there is easy. However this isn't such a hot solution as it requires your web browser having permission to read the passwd file - which means it's similar to posting your /etc/passwd onto the web (or could be similar to...someone would have to find it first). My second idea is to whip together a really quick, really small, suidroot script (I know bad idea - but it's small so it's easy to make secure and it's not going to do anything except read the passwd/shadow file and spit back a 1 or a 0). As I said that script can take input on the command line (the l/p of the user) and can then use that to match against the l/p stored in the existing user account DB (passwd/shadow). Have it return 0 for a failure, 1 for a pass. Call it from your script with backticks and assign the stdout to a variable. Check the variable for a 1 or a 0 and you've got your answer. Without root permissions on the script there are only so many ways out...
-Adam Stanley
Nethosters, Inc. | [reply] |
Well,
This was something that first occured to me, however the
problem is that, after authentication, the web-script will
need to actually 'take on' that users UID/GID etc. and write
files in their home directory etc.
This could be that the entire script has to be run as
suidroot, or maybe there is a way around it. I'm not sure
(thats why I ask).
Any other suggestions?
______
\___ _
__()_\__
______/ \ \---\__________
/ \---\
| - Nick... /
\_____ __/---/
\_________/
| [reply] |
To change UID's and GID's, you'll need root perms. You'll
also need them for the password checking initially, at least
long enough to read the shadow (or perhaps passwd) file. There's really
no way of getting around it.
The object, however, is to do as little as possible as root,
and switch immediately to the new UID/EUID GID/EGID combination.
Changing them is simple to do in Perl (set $<, $>, $(, $)
for UID, EUID, GID, and EGID, respectively), so you'll
never have to run the entire script as root. Just take
care of what you need to do as root early and carefully,
and switch as soon as you can.
| [reply] |
| [reply] |
