Home > Archive > PERL Miscellaneous > April 2005 > Using getpwnam() with CGI
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Using getpwnam() with CGI
|
|
| Jason Williard 2005-04-23, 3:57 am |
| I am trying to create a script to install spam filters on a per user
basis.
The script will have a web UI where the user should be able to login
and
enable or disable the filters. My original script, which was a
command-line
perl script, used User::pwent getpwnam() to get the user's encrypted
password from the shadow file and compare it with the encrypted
password
that the user submitted. This worked perfectly. Unfortunately, when I
run
it from a command line, the passwd object passed by getpwnam() is
always 'x'
which it is grabbing from the passwd file. Does anyone know how I can
fix
this?
Here are the important parts of the code:
#!/usr/bin/suidperl -U
$current_id = $<; #get the current user id
my($name,$passwd,$uid,$gid,$quota,$comme
nt,$gcos,$dir,$shell) =
getpwnam("root"); #get user nobody's details
$< = $uid;
use User::pwent;
use CGI qw(:standard);
use CGI::Carp qw(fatalsToBrowser);
sub authUser {
# set sub variables
my($username,$userpass,$password) = @_;
if ( crypt($password,$userpass) eq $userpass ) {
return 1;
} else {
return 0;
}
}
....
# Set UserInfo
my $user = getpwnam($mailbox);
my $username = $user->name;
my $userpass = $user->passwd;
my $userdir = $user->dir;
my $useruid = $user->uid;
my $usergid = $user->gid;
---
Thanks,
Jason Williard
| |
| Vorxion 2005-04-24, 3:56 am |
| In article <1114213481.603741.138910@z14g2000cwz.googlegroups.com>, Jason
Williard wrote:
>it from a command line, the passwd object passed by getpwnam() is always
>'x' which it is grabbing from the passwd file. Does anyone know how I can
>fix this?
Running it as root is your only option. http://cgiwrap.unixtools.org/
Be sure you know what you're doing.
--
Vorxion - Founder of the knocking-shop of the mind.
"You have it, you sell it, you've still got it--what's the difference?"
--Diana Trent, "Waiting for God", on why a modelling agency is really a
knocking-shop. Applied by me to the field of consulting. :)
The Sci-Fi fan's solution to debt: Reverse the polarity on your charge card.
| |
| Alan J. Flavell 2005-04-24, 8:56 am |
| On Sat, 22 Apr 2005, Jason Williard wrote (reflowed to usenet
conventions):
> I am trying to create a script to install spam filters on a per user
> basis. The script will have a web UI where the user should be able
> to login and enable or disable the filters. My original script,
> which was a command-line perl script, used User::pwent getpwnam() to
> get the user's encrypted password from the shadow file and compare
> it with the encrypted password that the user submitted.
This has nothing specific to do with the Perl language, but... Keeping
crypted passwords in a shadow file is a valuable security measure.
By contrast, asking users to type-in their login password to a web
page is, in general, a dangerous practice. Let's hope you're at least
briefing them *never* to type their password without verifying that
they have a secure (https) channel, with verified certificate, to
*your* server.
> This worked perfectly. Unfortunately, when I run it from a command
> line, the passwd object passed by getpwnam() is always 'x' which it
> is grabbing from the passwd file. Does anyone know how I can fix
> this?
The whole point of shadow passwords is that they're hidden from
unprivileged processes.
The "clean" way to deal with this in Linux is to use the Linux-PAM
API. Other OSes should offer equivalent mechanisms.
Trying to program this directly yourself with root privs from a CGI
process opens up vast security holes, IMHO. And takes away
flexibility if you ever want to restructure your authentication
scheme. Take a look on CPAN for PAM authentication module.
|
|
|
|
|