reading shadow file from etc/shadow

Posted on 2002-04-16
Last Modified: 2013-12-25
how can we read the shadow file of linux (which has the permission set as 600 )using cgi/perl script (purpose :for user authentication).the server is running as 'nobody' and is showing the error 'permission denied' when trying to access the shadow file even when the script owner is root and the script executed  by  root from a webbrowser.the same script works fine when executed from console(in console the uid is 0, while when exectued from a webbrowser the uid is 99(corresponds to 'nobody').Web server is Apache(version 1.3.17). the scripts is edited, and saved with root id.please giv me a solution.....
Question by:meenu_nair
  • 4
  • 2
  • 2
LVL 15

Expert Comment

ID: 6946901
meenu nair,

What language are you developing you authentication code; Perl, C?

Before we proceed, it is best to understand, why we need to access the /etc/shadow file at the first place.  If it is for user authentication, and if you happens to be using perl, you can use the built-in functionl getpwnam NAME, or getpwuid UID.

The values returned will be: ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) = getpw*

Should you still insist in reading the /etc/shadow, you need to either;

1. allow read access to /etc/shadow, by changing permission to 622, which is NOT recommended (I Repeat)., or
2. Configure the webserver to execute setuid program, which Apache I believe will refuse to run setuid for uid below certain UID.  program with setuid 0 most likely will NOT be executed.

4.  Get your webserver process to run as root, and again this is a BIG security hole.

Another option is to create a sync copy of /etc/shadow, maybe /etc/shadow.txt, that can be read by webserver process.

Off all the options, I would recommend you to look for any library/ internal function from the Programming language you are using for getting entries from password file.  This is much safer, and in most cases much easier to implement.

If you happens to be using apache, and the codes are Perl, take a look at Perl modules for accessing/manipulating system passwd files.  Or use the getpw* functions.

good luck.  
LVL 51

Expert Comment

ID: 6947235
> .. even when the script owner is root and the script executed  by root from a webbrowser

There is no reason why it does not work if these conditions are true.
Please enshure that this all applies: file owner root (doesn't matter either), process effective and real user root.
LVL 15

Expert Comment

ID: 6947297

againg... my naive assumption takes precedence here.

..I assumed that the scripts is edited, and saved with root id, and root I presume that the user "root" is firing up the Browser to open the respective web-page.

The assumtion is based on common web platform on Unix, would be Apache, and Apache to my knowledge are very "picky" about running as UID-0, or setuid-0 scripts.

It used to happen to me, or maybe I just assume too much.

--gotta go.  can't wait to work on my garden.

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

LVL 51

Expert Comment

ID: 6948152
samri, didn't comment your comment, which was pretty good (except of, see below).

The culprit might be apache, which refuses setuid rograms (as samri said), or the ystem itself which refuses setuid scripts (like Solaris, not shure about which Linux behaves this way nowerdays).
LVL 15

Expert Comment

ID: 6949431

haha... it seems that we are struggling to get to work on the problem while the caller wait silently... way at the corner..:) <-- no offense.

It is suppose to be an "Easy" 50pts Question -- it turns out to be quite tricky.

good day.

Author Comment

ID: 6949628
I'm using RedHat Linux 7.1 and apache 1.3.17. I'm doing a webmail project in PERL 5.6.1. I need to acees the Linux mbox from any computer connected to the internet through web browser. For this purpose I've to authenticate the user by reading the /etc/shadow file of the Linux. But the apache web server runs the script as user "Nobody" and not as "root". So I failed to read the /etc/shadow through a web page. How can I solve this problem? Can I read the /etc/shadow file from the web browser using perl script ? Is there any way to check the user by using any built in modules of PERL? The only inputs from the web page is the user name and password. So is there any modules or functions in perl to check if its a valid user other than extracting the user name and password by reading the shadow file.I've to make this validation within the perl script.

thanx for the suggestions ..waiting for ur expert replies


Author Comment

ID: 6949820
i tried getpwent ,getpwnam, etc but they r all retrieving X as passowrd field(ie it is retrieving it from etc/passwd rather than etc/shadow) which may not help in passwd comparison.Also setting the setuid bit for the script is also not solving the problem...and im not permitted those solutions which may cause security what should i do?

dear ahoffman and samri, u both r right ,but nothing seems to work... wt should i do ?..

sorry for waiting silently.i was just following up ur suggestions meanwhile....please do help.........
LVL 15

Accepted Solution

samri earned 50 total points
ID: 6949888

Following are the modules that can be used;

Once the authentication is successfull, you the environmet variable REMOTE_USER will be assigned the the authenticated user.

Another problem that will arise would be reading the mailbox file itself.  Since the webserver is running as apache, and the mailbox can only be read my the owner, or users in group mail.

There is a web based admin suite; Webmin, which is written in Perl, that has a module to read mbox format mailbox.  Since it's written in Perl, and you are developing you project in Perl, we had a similarities here.  Worth checking.  The URL is:


Featured Post

The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will aim to show you how simple is making a small application in WhizBase, how to add, remove and update data in the DB. I will make a small address book application where you can add, browse, update and remove addresses. I wi…
Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question