Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Using getpwnam() with CGI

Reply
Thread Tools

Using getpwnam() with CGI

 
 
Jason Williard
Guest
Posts: n/a
 
      04-22-2005
I am trying to create a script to install spam filters on a per user
basis.
The script will have a web UI where the user should be able to login
and
enable or disable the filters. My original script, which was a
command-line
perl script, used User:went getpwnam() to get the user's encrypted
password from the shadow file and compare it with the encrypted
password
that the user submitted. This worked perfectly. Unfortunately, when I
run
it from a command line, the passwd object passed by getpwnam() is
always 'x'
which it is grabbing from the passwd file. Does anyone know how I can
fix
this?

Here are the important parts of the code:

#!/usr/bin/suidperl -U
$current_id = $<; #get the current user id
my($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$ dir,$shell) =
getpwnam("root"); #get user nobody's details
$< = $uid;

use User:went;
use CGI qw(:standard);
use CGI::Carp qw(fatalsToBrowser);

sub authUser {
# set sub variables
my($username,$userpass,$password) = @_;
if ( crypt($password,$userpass) eq $userpass ) {
return 1;
} else {
return 0;
}
}

....

# Set UserInfo
my $user = getpwnam($mailbox);
my $username = $user->name;
my $userpass = $user->passwd;
my $userdir = $user->dir;
my $useruid = $user->uid;
my $usergid = $user->gid;


---
Thanks,
Jason Williard

 
Reply With Quote
 
 
 
 
Vorxion
Guest
Posts: n/a
 
      04-24-2005
In article <(E-Mail Removed) .com>, Jason
Williard wrote:
>it from a command line, the passwd object passed by getpwnam() is always
>'x' which it is grabbing from the passwd file. Does anyone know how I can
>fix this?


Running it as root is your only option. http://cgiwrap.unixtools.org/
Be sure you know what you're doing.

--
Vorxion - Founder of the knocking-shop of the mind.

"You have it, you sell it, you've still got it--what's the difference?"
--Diana Trent, "Waiting for God", on why a modelling agency is really a
knocking-shop. Applied by me to the field of consulting.

The Sci-Fi fan's solution to debt: Reverse the polarity on your charge card.
 
Reply With Quote
 
 
 
 
Alan J. Flavell
Guest
Posts: n/a
 
      04-24-2005
On Sat, 22 Apr 2005, Jason Williard wrote (reflowed to usenet
conventions):

> I am trying to create a script to install spam filters on a per user
> basis. The script will have a web UI where the user should be able
> to login and enable or disable the filters. My original script,
> which was a command-line perl script, used User:went getpwnam() to
> get the user's encrypted password from the shadow file and compare
> it with the encrypted password that the user submitted.


This has nothing specific to do with the Perl language, but... Keeping
crypted passwords in a shadow file is a valuable security measure.
By contrast, asking users to type-in their login password to a web
page is, in general, a dangerous practice. Let's hope you're at least
briefing them *never* to type their password without verifying that
they have a secure (https) channel, with verified certificate, to
*your* server.

> This worked perfectly. Unfortunately, when I run it from a command
> line, the passwd object passed by getpwnam() is always 'x' which it
> is grabbing from the passwd file. Does anyone know how I can fix
> this?


The whole point of shadow passwords is that they're hidden from
unprivileged processes.

The "clean" way to deal with this in Linux is to use the Linux-PAM
API. Other OSes should offer equivalent mechanisms.

Trying to program this directly yourself with root privs from a CGI
process opens up vast security holes, IMHO. And takes away
flexibility if you ever want to restructure your authentication
scheme. Take a look on CPAN for PAM authentication module.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Calling another cgi program using CGI.pm dmedhora@gmail.com Perl Misc 12 08-28-2006 01:00 AM
(CGI-Target)Could not connect to CGI-Proxy John Smith Java 0 05-15-2006 09:21 PM
(Ab)using class CGI as non-CGI HTML generator? Josef 'Jupp' Schugt Ruby 3 03-06-2005 11:34 AM
Calling cgi from cgi thru 'system' function. Different behaviour on browser v/s cmd line Shailan Perl 2 12-15-2003 04:26 PM
Re: CGI Perl "use CGI" statement fail Jürgen Exner Perl 0 07-31-2003 02:00 PM



Advertisments