Solved

reading shadow file from etc/shadow

Posted on 2002-04-16
10
833 Views
Last Modified: 2013-12-25
how can we read the shadow file of linux (which has the permission set as 600 )using cgi/perl script (purpose :for user authentication).the server is running as 'nobody' and is showing the error 'permission denied' when trying to access the shadow file even when the script owner is root and the script executed  by  root from a webbrowser.the same script works fine when executed from console(in console the uid is 0, while when exectued from a webbrowser the uid is 99(corresponds to 'nobody').Web server is Apache(version 1.3.17). the scripts is edited, and saved with root id.please giv me a solution.....
0
Comment
Question by:meenu_nair
  • 4
  • 2
  • 2
10 Comments
 
LVL 15

Expert Comment

by:samri
ID: 6946901
meenu nair,

What language are you developing you authentication code; Perl, C?

Before we proceed, it is best to understand, why we need to access the /etc/shadow file at the first place.  If it is for user authentication, and if you happens to be using perl, you can use the built-in functionl getpwnam NAME, or getpwuid UID.

The values returned will be: ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) = getpw*

Should you still insist in reading the /etc/shadow, you need to either;

1. allow read access to /etc/shadow, by changing permission to 622, which is NOT recommended (I Repeat)., or
2. Configure the webserver to execute setuid program, which Apache I believe will refuse to run setuid for uid below certain UID.  program with setuid 0 most likely will NOT be executed.

4.  Get your webserver process to run as root, and again this is a BIG security hole.

Another option is to create a sync copy of /etc/shadow, maybe /etc/shadow.txt, that can be read by webserver process.

Off all the options, I would recommend you to look for any library/ internal function from the Programming language you are using for getting entries from password file.  This is much safer, and in most cases much easier to implement.

If you happens to be using apache, and the codes are Perl, take a look at Perl modules for accessing/manipulating system passwd files.  Or use the getpw* functions.

good luck.  
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6947235
> .. even when the script owner is root and the script executed  by root from a webbrowser

There is no reason why it does not work if these conditions are true.
Please enshure that this all applies: file owner root (doesn't matter either), process effective and real user root.
0
 
LVL 15

Expert Comment

by:samri
ID: 6947297
ahoffman,

againg... my naive assumption takes precedence here.

..I assumed that the scripts is edited, and saved with root id, and root I presume that the user "root" is firing up the Browser to open the respective web-page.

The assumtion is based on common web platform on Unix, would be Apache, and Apache to my knowledge are very "picky" about running as UID-0, or setuid-0 scripts.

It used to happen to me, or maybe I just assume too much.

--gotta go.  can't wait to work on my garden.

cheers.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6948152
samri, didn't comment your comment, which was pretty good (except of, see below).

The culprit might be apache, which refuses setuid rograms (as samri said), or the ystem itself which refuses setuid scripts (like Solaris, not shure about which Linux behaves this way nowerdays).
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 15

Expert Comment

by:samri
ID: 6949431
ahoffman...

haha... it seems that we are struggling to get to work on the problem while the caller wait silently... way at the corner..:) <-- no offense.

It is suppose to be an "Easy" 50pts Question -- it turns out to be quite tricky.

good day.
0
 

Author Comment

by:meenu_nair
ID: 6949628
I'm using RedHat Linux 7.1 and apache 1.3.17. I'm doing a webmail project in PERL 5.6.1. I need to acees the Linux mbox from any computer connected to the internet through web browser. For this purpose I've to authenticate the user by reading the /etc/shadow file of the Linux. But the apache web server runs the script as user "Nobody" and not as "root". So I failed to read the /etc/shadow through a web page. How can I solve this problem? Can I read the /etc/shadow file from the web browser using perl script ? Is there any way to check the user by using any built in modules of PERL? The only inputs from the web page is the user name and password. So is there any modules or functions in perl to check if its a valid user other than extracting the user name and password by reading the shadow file.I've to make this validation within the perl script.

thanx for the suggestions ..waiting for ur expert replies

0
 

Author Comment

by:meenu_nair
ID: 6949820
i tried getpwent ,getpwnam, etc but they r all retrieving X as passowrd field(ie it is retrieving it from etc/passwd rather than etc/shadow) which may not help in passwd comparison.Also setting the setuid bit for the script is also not solving the problem...and im not permitted those solutions which may cause security concerns...so what should i do?

dear ahoffman and samri, u both r right ,but nothing seems to work... wt should i do ?..

sorry for waiting silently.i was just following up ur suggestions meanwhile....please do help.........
0
 
LVL 15

Accepted Solution

by:
samri earned 50 total points
ID: 6949888

Following are the modules that can be used;

http://search.cpan.org/search?module=Apache::AuthenPasswd
http://search.cpan.org/search?module=Apache::AuthzPasswd

Once the authentication is successfull, you the environmet variable REMOTE_USER will be assigned the the authenticated user.

Another problem that will arise would be reading the mailbox file itself.  Since the webserver is running as apache, and the mailbox can only be read my the owner, or users in group mail.

There is a web based admin suite; Webmin, which is written in Perl, that has a module to read mbox format mailbox.  Since it's written in Perl, and you are developing you project in Perl, we had a similarities here.  Worth checking.  The URL is: http://www.webmin.com/webmin/

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

It is a general practice to get rid of old user profiles on a computer  in a LAN environment. As I have been working with a company in a LAN environment where users move from one place to some other place at times. This will make many user profil…
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now