Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Unix Authentication

by nick (Sexton)
on Apr 11, 2001 at 02:09 UTC ( #71516=perlquestion: print w/replies, xml ) Need Help??

nick has asked for the wisdom of the Perl Monks concerning the following question:

I am working on a web-based program that will have user accounts etc. One of the options we'd like is to be able to use existing unix accounts. I have a few questions regarding this.
1. What module should I us for this? (is there on) could somone provide an example for basic account authentication and user adding etc.
2. If at all possible I do not want this script running with root permisions at all. Is this possible?
All help is appreciated.

Replies are listed 'Best First'.
Re: Unix Authentication
by lhoward (Vicar) on Apr 11, 2001 at 02:19 UTC
    If you're using Apache as your webserver, I suggest you check out the Apache::AuthenPasswd module. There are many other Apache:: modules for authenticating against lots of other types of sources: SQL, LDAP, NIS, etc...
      I'd much rather leave out dependency on the webserver being used. Although 90% of the people will be using apache, we don't want to risk excluding others.
Re: Unix Authentication
by astanley (Beadle) on Apr 11, 2001 at 03:07 UTC
    Two ideas for you. First - you could whip something together to take all the existing user:pass hashes in the /etc/passwd or /etc/shadow (wherever your distro puts them) and drop them into a passwd file. Perl and login both use the same crypt scheme to develop those encrypted passwords so verification from there is easy. However this isn't such a hot solution as it requires your web browser having permission to read the passwd file - which means it's similar to posting your /etc/passwd onto the web (or could be similar to...someone would have to find it first). My second idea is to whip together a really quick, really small, suidroot script (I know bad idea - but it's small so it's easy to make secure and it's not going to do anything except read the passwd/shadow file and spit back a 1 or a 0). As I said that script can take input on the command line (the l/p of the user) and can then use that to match against the l/p stored in the existing user account DB (passwd/shadow). Have it return 0 for a failure, 1 for a pass. Call it from your script with backticks and assign the stdout to a variable. Check the variable for a 1 or a 0 and you've got your answer. Without root permissions on the script there are only so many ways out...

    -Adam Stanley
    Nethosters, Inc.
      This was something that first occured to me, however the problem is that, after authentication, the web-script will need to actually 'take on' that users UID/GID etc. and write files in their home directory etc.
      This could be that the entire script has to be run as suidroot, or maybe there is a way around it. I'm not sure (thats why I ask).
      Any other suggestions?
            \___ _
      ______/     \  \---\__________
                  /                 \---\
                  |     - Nick...       /
                  \_____         __/---/
        To change UID's and GID's, you'll need root perms. You'll also need them for the password checking initially, at least long enough to read the shadow (or perhaps passwd) file. There's really no way of getting around it.

        The object, however, is to do as little as possible as root, and switch immediately to the new UID/EUID GID/EGID combination.

        Changing them is simple to do in Perl (set $<, $>, $(, $) for UID, EUID, GID, and EGID, respectively), so you'll never have to run the entire script as root. Just take care of what you need to do as root early and carefully, and switch as soon as you can.

        If you need to run the script as the user who owns it, you will need to have something running as root. You could have a setuid script or you can use the suEXEC features of apache.


Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://71516]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (1)
As of 2023-09-24 04:25 GMT
Find Nodes?
    Voting Booth?

    No recent polls found