reading shadow file from etc/shadow

how can we read the shadow file of linux (which has the permission set as 600 )using cgi/perl script (purpose :for user authentication).the server is running as 'nobody' and is showing the error 'permission denied' when trying to access the shadow file even when the script owner is root and the script executed  by  root from a webbrowser.the same script works fine when executed from console(in console the uid is 0, while when exectued from a webbrowser the uid is 99(corresponds to 'nobody').Web server is Apache(version 1.3.17). the scripts is edited, and saved with root id.please giv me a solution.....
Who is Participating?

Following are the modules that can be used;

Once the authentication is successfull, you the environmet variable REMOTE_USER will be assigned the the authenticated user.

Another problem that will arise would be reading the mailbox file itself.  Since the webserver is running as apache, and the mailbox can only be read my the owner, or users in group mail.

There is a web based admin suite; Webmin, which is written in Perl, that has a module to read mbox format mailbox.  Since it's written in Perl, and you are developing you project in Perl, we had a similarities here.  Worth checking.  The URL is:

meenu nair,

What language are you developing you authentication code; Perl, C?

Before we proceed, it is best to understand, why we need to access the /etc/shadow file at the first place.  If it is for user authentication, and if you happens to be using perl, you can use the built-in functionl getpwnam NAME, or getpwuid UID.

The values returned will be: ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) = getpw*

Should you still insist in reading the /etc/shadow, you need to either;

1. allow read access to /etc/shadow, by changing permission to 622, which is NOT recommended (I Repeat)., or
2. Configure the webserver to execute setuid program, which Apache I believe will refuse to run setuid for uid below certain UID.  program with setuid 0 most likely will NOT be executed.

4.  Get your webserver process to run as root, and again this is a BIG security hole.

Another option is to create a sync copy of /etc/shadow, maybe /etc/shadow.txt, that can be read by webserver process.

Off all the options, I would recommend you to look for any library/ internal function from the Programming language you are using for getting entries from password file.  This is much safer, and in most cases much easier to implement.

If you happens to be using apache, and the codes are Perl, take a look at Perl modules for accessing/manipulating system passwd files.  Or use the getpw* functions.

good luck.  
> .. even when the script owner is root and the script executed  by root from a webbrowser

There is no reason why it does not work if these conditions are true.
Please enshure that this all applies: file owner root (doesn't matter either), process effective and real user root.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.


againg... my naive assumption takes precedence here.

..I assumed that the scripts is edited, and saved with root id, and root I presume that the user "root" is firing up the Browser to open the respective web-page.

The assumtion is based on common web platform on Unix, would be Apache, and Apache to my knowledge are very "picky" about running as UID-0, or setuid-0 scripts.

It used to happen to me, or maybe I just assume too much.

--gotta go.  can't wait to work on my garden.

samri, didn't comment your comment, which was pretty good (except of, see below).

The culprit might be apache, which refuses setuid rograms (as samri said), or the ystem itself which refuses setuid scripts (like Solaris, not shure about which Linux behaves this way nowerdays).

haha... it seems that we are struggling to get to work on the problem while the caller wait silently... way at the corner..:) <-- no offense.

It is suppose to be an "Easy" 50pts Question -- it turns out to be quite tricky.

good day.
meenu_nairAuthor Commented:
I'm using RedHat Linux 7.1 and apache 1.3.17. I'm doing a webmail project in PERL 5.6.1. I need to acees the Linux mbox from any computer connected to the internet through web browser. For this purpose I've to authenticate the user by reading the /etc/shadow file of the Linux. But the apache web server runs the script as user "Nobody" and not as "root". So I failed to read the /etc/shadow through a web page. How can I solve this problem? Can I read the /etc/shadow file from the web browser using perl script ? Is there any way to check the user by using any built in modules of PERL? The only inputs from the web page is the user name and password. So is there any modules or functions in perl to check if its a valid user other than extracting the user name and password by reading the shadow file.I've to make this validation within the perl script.

thanx for the suggestions ..waiting for ur expert replies

meenu_nairAuthor Commented:
i tried getpwent ,getpwnam, etc but they r all retrieving X as passowrd field(ie it is retrieving it from etc/passwd rather than etc/shadow) which may not help in passwd comparison.Also setting the setuid bit for the script is also not solving the problem...and im not permitted those solutions which may cause security what should i do?

dear ahoffman and samri, u both r right ,but nothing seems to work... wt should i do ?..

sorry for waiting silently.i was just following up ur suggestions meanwhile....please do help.........
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.