reading shadow file from etc/shadow

Posted on 2002-04-16
Medium Priority
Last Modified: 2013-12-25
how can we read the shadow file of linux (which has the permission set as 600 )using cgi/perl script (purpose :for user authentication).the server is running as 'nobody' and is showing the error 'permission denied' when trying to access the shadow file even when the script owner is root and the script executed  by  root from a webbrowser.the same script works fine when executed from console(in console the uid is 0, while when exectued from a webbrowser the uid is 99(corresponds to 'nobody').Web server is Apache(version 1.3.17). the scripts is edited, and saved with root id.please giv me a solution.....
Question by:meenu_nair
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
LVL 15

Expert Comment

ID: 6946901
meenu nair,

What language are you developing you authentication code; Perl, C?

Before we proceed, it is best to understand, why we need to access the /etc/shadow file at the first place.  If it is for user authentication, and if you happens to be using perl, you can use the built-in functionl getpwnam NAME, or getpwuid UID.

The values returned will be: ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) = getpw*

Should you still insist in reading the /etc/shadow, you need to either;

1. allow read access to /etc/shadow, by changing permission to 622, which is NOT recommended (I Repeat)., or
2. Configure the webserver to execute setuid program, which Apache I believe will refuse to run setuid for uid below certain UID.  program with setuid 0 most likely will NOT be executed.

4.  Get your webserver process to run as root, and again this is a BIG security hole.

Another option is to create a sync copy of /etc/shadow, maybe /etc/shadow.txt, that can be read by webserver process.

Off all the options, I would recommend you to look for any library/ internal function from the Programming language you are using for getting entries from password file.  This is much safer, and in most cases much easier to implement.

If you happens to be using apache, and the codes are Perl, take a look at Perl modules for accessing/manipulating system passwd files.  Or use the getpw* functions.

good luck.  
LVL 51

Expert Comment

ID: 6947235
> .. even when the script owner is root and the script executed  by root from a webbrowser

There is no reason why it does not work if these conditions are true.
Please enshure that this all applies: file owner root (doesn't matter either), process effective and real user root.
LVL 15

Expert Comment

ID: 6947297

againg... my naive assumption takes precedence here.

..I assumed that the scripts is edited, and saved with root id, and root I presume that the user "root" is firing up the Browser to open the respective web-page.

The assumtion is based on common web platform on Unix, would be Apache, and Apache to my knowledge are very "picky" about running as UID-0, or setuid-0 scripts.

It used to happen to me, or maybe I just assume too much.

--gotta go.  can't wait to work on my garden.

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

LVL 51

Expert Comment

ID: 6948152
samri, didn't comment your comment, which was pretty good (except of, see below).

The culprit might be apache, which refuses setuid rograms (as samri said), or the ystem itself which refuses setuid scripts (like Solaris, not shure about which Linux behaves this way nowerdays).
LVL 15

Expert Comment

ID: 6949431

haha... it seems that we are struggling to get to work on the problem while the caller wait silently... way at the corner..:) <-- no offense.

It is suppose to be an "Easy" 50pts Question -- it turns out to be quite tricky.

good day.

Author Comment

ID: 6949628
I'm using RedHat Linux 7.1 and apache 1.3.17. I'm doing a webmail project in PERL 5.6.1. I need to acees the Linux mbox from any computer connected to the internet through web browser. For this purpose I've to authenticate the user by reading the /etc/shadow file of the Linux. But the apache web server runs the script as user "Nobody" and not as "root". So I failed to read the /etc/shadow through a web page. How can I solve this problem? Can I read the /etc/shadow file from the web browser using perl script ? Is there any way to check the user by using any built in modules of PERL? The only inputs from the web page is the user name and password. So is there any modules or functions in perl to check if its a valid user other than extracting the user name and password by reading the shadow file.I've to make this validation within the perl script.

thanx for the suggestions ..waiting for ur expert replies


Author Comment

ID: 6949820
i tried getpwent ,getpwnam, etc but they r all retrieving X as passowrd field(ie it is retrieving it from etc/passwd rather than etc/shadow) which may not help in passwd comparison.Also setting the setuid bit for the script is also not solving the problem...and im not permitted those solutions which may cause security concerns...so what should i do?

dear ahoffman and samri, u both r right ,but nothing seems to work... wt should i do ?..

sorry for waiting silently.i was just following up ur suggestions meanwhile....please do help.........
LVL 15

Accepted Solution

samri earned 200 total points
ID: 6949888

Following are the modules that can be used;


Once the authentication is successfull, you the environmet variable REMOTE_USER will be assigned the the authenticated user.

Another problem that will arise would be reading the mailbox file itself.  Since the webserver is running as apache, and the mailbox can only be read my the owner, or users in group mail.

There is a web based admin suite; Webmin, which is written in Perl, that has a module to read mbox format mailbox.  Since it's written in Perl, and you are developing you project in Perl, we had a similarities here.  Worth checking.  The URL is: http://www.webmin.com/webmin/


Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question