Results 1 to 14 of 14
  1. #1
    Join Date
    Jun 2004
    Posts
    51

    Perl, PHP, pam authentication and /etc/shadow

    [FWIW - I searched but didn't find an answer to my liking. My apologies if this is a much-asked question. This is my first post here.]

    Here's the deal:

    I'm trying to authenticate users on my hosting server so I can write custom 'members' scripts for account customization and such.

    Encrypted passwords that I can check against are stored in /etc/shadow, which is readable only by root. Doing some googling, I found a nice PHP PAM module that was designed for /etc/shadow authentication. The problem is that PHP/Apache runs as 'nobody' and not 'root', thus denying me access to /etc/shadow so I can validate users.

    Doing some more googling, I found that some users create Perl scripts chown'd and chgrp'd to root that do the actual checking, and use PHP exec() or system() calls to call the Perl scripts. I have tried that but am still unable to authenticate users.

    Finally, I thought I might create a script that temporarily chown's and chgrp's /etc/shadow to nobody so my PHP scripts could authenticate, after which I woulc chgrp and chown /etc/shadow back to root. That, also, doesn't appear to be working.

    So, how the hell do I do this? It seems authentication should be a simple thing to do, but I can't seem to figure it out. Help, please.

    Thanks.
    Sen

  2. #2
    Join Date
    Jul 2003
    Location
    Kuwait
    Posts
    5,099
    What you need is suexec -- which allows PHP scripts to be run as a different user.

    See http://httpd.apache.org/docs/suexec.html

    Another alternative is to use suphp
    In order to understand recursion, one must first understand recursion.
    If you feel like it, you can read my blog
    Signal > Noise

  3. #3
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100

    Re: Perl, PHP, pam authentication and /etc/shadow

    Originally posted by SeñorAmor

    Finally, I thought I might create a script that temporarily chown's and chgrp's /etc/shadow to nobody so my PHP scripts could authenticate, after which I woulc chgrp and chown /etc/shadow back to root. That, also, doesn't appear to be working.
    Awww, you might as well just post the root password on your web site and let customers serve themselves.

    anyway what you are looking for is program that you can call from your php script and that will run as a root and take only 2 arguments, username and encrypted password, and return 1 or 0 depending whether there was a match found for these found in /etc/shadow.

    This program could be done in any compiled language (has to be binary), and you just chmod it suid. As it will run as a root you have to be very carefull with the the way it precesses its arguments.

  4. #4
    Join Date
    Jun 2004
    Posts
    51
    Unless I misread, suexec doesn't allow scripts to run as root, which I believe I need to read the shadow file, correct?

    Also, wtf is up with my nick? vB doesn't support unicode characters?

  5. #5
    Join Date
    Aug 2002
    Location
    Hong Kong
    Posts
    417
    suexec and phpsuexec are the way to go

  6. #6
    Join Date
    Jun 2004
    Posts
    51
    Originally posted by lwknet
    suexec and phpsuexec are the way to go
    Ok, clearly I am missing something then. According to the page fyrestrtr linked to, "Presently, suEXEC does not allow 'root' to execute CGI/SSI programs."

    Would that not prevent me from reading /etc/shadow as it's readable by root only?

    Please excuse my naivity on this topic. I'm still kinda new to this.

  7. #7
    Join Date
    Aug 2002
    Location
    Hong Kong
    Posts
    417
    simply
    chown root:anygroup /etc/shadow
    chmod 0440 /etc/shadow

    then the group "anygroup" can read it without problem
    just make sure you don't
    usermod -G anygroup userbob

  8. #8
    Join Date
    Jun 2004
    Posts
    51
    Originally posted by lwknet
    simply
    chown root:anygroup /etc/shadow
    chmod 0440 /etc/shadow

    then the group "anygroup" can read it without problem
    just make sure you don't
    usermod -G anygroup userbob
    Ok, that seems to work. Now, before I keep it permanent, does making the shadow file readable by 'nobody' (the group Apache is a member of) open me to any serious risks? If so, would it be better to add Apache as a member of a randomly named group (say 'thjr09324n' or something hard-to-guess) and then make /etc/shadow readable by that group?

    Also, I have cPanel installed on my server. IIRC, when adding a new user (account/domain), cPanel resets /etc/shadow back to its default root:root. Do you think this will cause any conflicts if I am correct? By that, I mean I will most likely have to edit the cPanel config scripts and/or make my own that sets /etc/shadow back to root:whatever.

    Thanks again for all your help.

  9. #9
    Join Date
    Aug 2002
    Location
    Hong Kong
    Posts
    417
    making /etc/shadow group "root" and user "root" is a general practice, i'm not gonna disscuss why is done this way

    since apache doesn't permit any users running as either group/user as root, and the actual "root" user can read any files on the system regardless
    chmod 0000 /etc/shadow
    chown userbob:groupbob /etc/shadow

    so it doesn't make sense to safely change the group or even user of /etc/shadow, the name of user/group doesn't need to be hard-to-guess, u just make sure in /etc/group there's only your designated users can be added in the group "groupbob"

    in your case i thk you can make a cron in your root crontab to
    chown root:groupbob /etc/shadow

    every minute, since its not a script, just a line of command, doesn't consum any resource in your machine at all, or you can make a script to "chown" the file once every sec and sleep for 1 sec for 60 times, and the script is executed every minute by cron, though this is not wise but it should work at the least

  10. #10
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    bah, why would you go around modifying system when you can do something like this in very very simple way. Here is previous post broken in easy to follow steps.

    1. make perl file that will take username and encrypted password and look if there is a match for that in /etc/shadow. below is the samle perl function that will do the thing. I know that whis could be better done in C , but i do not know it. Make sure that you carefully parse command line arguments in this script so that you know what you are getting.

    sub makeauth(){
    my ($in_uname, $in_pass, $in_uid,$in_group) = getpwnam ($user);
    return 0 unless ($in_uid); #nothing found
    if ($pass eq $in_pass){
    print (1) ;
    }
    return 0 ;
    }

    2. Compile the script with perlcc and chown it suid root. That means that this script will always run as root used no matter who called it, This is why you need to make sure that it handles its arguments its arguments well.

    3. call this script from PHP and if it returnes "1" then .....

  11. #11
    Join Date
    Jun 2004
    Posts
    51
    Sasha, I did what you suggested regarding chown'ing it suid root, but it still doesn't work. When I run the file (PHP file) from the command line, it works fine, but not when I call it from the web.

  12. #12
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    can you post your perl file and ls -l perl file and PHP lines that call it ?

  13. #13
    Join Date
    Jun 2004
    Posts
    51
    Does the file I call from my PHP script have to be Perl? I don't know Perl all that well so I did it in PHP instead.

  14. #14
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    the file that will run suid has to be compiled. Only reason I talk about perl is because I do not know C. which would be better choice. PHP cannot be compiled to binary as much as I know.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •