Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


reading shadow file from etc/shadow

Posted on 2002-04-16
Medium Priority
Last Modified: 2013-12-25
how can we read the shadow file of linux (which has the permission set as 600 )using cgi/perl script (purpose :for user authentication).the server is running as 'nobody' and is showing the error 'permission denied' when trying to access the shadow file even when the script owner is root and the script executed  by  root from a webbrowser.the same script works fine when executed from console(in console the uid is 0, while when exectued from a webbrowser the uid is 99(corresponds to 'nobody').Web server is Apache(version 1.3.17). the scripts is edited, and saved with root id.please giv me a solution.....
Question by:meenu_nair
  • 4
  • 2
  • 2
LVL 15

Expert Comment

ID: 6946901
meenu nair,

What language are you developing you authentication code; Perl, C?

Before we proceed, it is best to understand, why we need to access the /etc/shadow file at the first place.  If it is for user authentication, and if you happens to be using perl, you can use the built-in functionl getpwnam NAME, or getpwuid UID.

The values returned will be: ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) = getpw*

Should you still insist in reading the /etc/shadow, you need to either;

1. allow read access to /etc/shadow, by changing permission to 622, which is NOT recommended (I Repeat)., or
2. Configure the webserver to execute setuid program, which Apache I believe will refuse to run setuid for uid below certain UID.  program with setuid 0 most likely will NOT be executed.

4.  Get your webserver process to run as root, and again this is a BIG security hole.

Another option is to create a sync copy of /etc/shadow, maybe /etc/shadow.txt, that can be read by webserver process.

Off all the options, I would recommend you to look for any library/ internal function from the Programming language you are using for getting entries from password file.  This is much safer, and in most cases much easier to implement.

If you happens to be using apache, and the codes are Perl, take a look at Perl modules for accessing/manipulating system passwd files.  Or use the getpw* functions.

good luck.  
LVL 51

Expert Comment

ID: 6947235
> .. even when the script owner is root and the script executed  by root from a webbrowser

There is no reason why it does not work if these conditions are true.
Please enshure that this all applies: file owner root (doesn't matter either), process effective and real user root.
LVL 15

Expert Comment

ID: 6947297

againg... my naive assumption takes precedence here.

..I assumed that the scripts is edited, and saved with root id, and root I presume that the user "root" is firing up the Browser to open the respective web-page.

The assumtion is based on common web platform on Unix, would be Apache, and Apache to my knowledge are very "picky" about running as UID-0, or setuid-0 scripts.

It used to happen to me, or maybe I just assume too much.

--gotta go.  can't wait to work on my garden.

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

LVL 51

Expert Comment

ID: 6948152
samri, didn't comment your comment, which was pretty good (except of, see below).

The culprit might be apache, which refuses setuid rograms (as samri said), or the ystem itself which refuses setuid scripts (like Solaris, not shure about which Linux behaves this way nowerdays).
LVL 15

Expert Comment

ID: 6949431

haha... it seems that we are struggling to get to work on the problem while the caller wait silently... way at the corner..:) <-- no offense.

It is suppose to be an "Easy" 50pts Question -- it turns out to be quite tricky.

good day.

Author Comment

ID: 6949628
I'm using RedHat Linux 7.1 and apache 1.3.17. I'm doing a webmail project in PERL 5.6.1. I need to acees the Linux mbox from any computer connected to the internet through web browser. For this purpose I've to authenticate the user by reading the /etc/shadow file of the Linux. But the apache web server runs the script as user "Nobody" and not as "root". So I failed to read the /etc/shadow through a web page. How can I solve this problem? Can I read the /etc/shadow file from the web browser using perl script ? Is there any way to check the user by using any built in modules of PERL? The only inputs from the web page is the user name and password. So is there any modules or functions in perl to check if its a valid user other than extracting the user name and password by reading the shadow file.I've to make this validation within the perl script.

thanx for the suggestions ..waiting for ur expert replies


Author Comment

ID: 6949820
i tried getpwent ,getpwnam, etc but they r all retrieving X as passowrd field(ie it is retrieving it from etc/passwd rather than etc/shadow) which may not help in passwd comparison.Also setting the setuid bit for the script is also not solving the problem...and im not permitted those solutions which may cause security concerns...so what should i do?

dear ahoffman and samri, u both r right ,but nothing seems to work... wt should i do ?..

sorry for waiting silently.i was just following up ur suggestions meanwhile....please do help.........
LVL 15

Accepted Solution

samri earned 200 total points
ID: 6949888

Following are the modules that can be used;


Once the authentication is successfull, you the environmet variable REMOTE_USER will be assigned the the authenticated user.

Another problem that will arise would be reading the mailbox file itself.  Since the webserver is running as apache, and the mailbox can only be read my the owner, or users in group mail.

There is a web based admin suite; Webmin, which is written in Perl, that has a module to read mbox format mailbox.  Since it's written in Perl, and you are developing you project in Perl, we had a similarities here.  Worth checking.  The URL is: http://www.webmin.com/webmin/


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you how to provide a dynamic RTF document on your website generated with data from your database. For this tutorial you will need Microsoft Word or WordPad, WhizBase and Microsoft Access. In this tutorial I will show …
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question