tags:

views:

207

answers:

3
+2  Q: 

PHP: authenticate local unix user (without direct access to /etc/shadow)

Given a username and password, I need to check if there's a user on the local system with said username and password.

I'm aware of posix_getpwnam and using the PAM package, but both of these methods require that the PHP script have access to /etc/shadow. I'd rather not mess with permissions of system files or daemon users.

I imagine that this could be done either by messing with standard system commands such as sudo, or by writing my own small setuid C program. I could also try to connect to localhost via FTP or SSH with said username/password to validate it. Is there a simpler way?

A: 

  1. I believe ftp/ssh is a slick way of doing it assuming the system is always running these.

  2. Another possibility for permissions sake, is to write some script thatll pull those users from /etc/shadow and run this script as a cron job to regularly update it. This script creates a file with permissions only specific to user running your web (apache and what not) and can check with this file or even database the entries to mysql if you really wanted to get crazy.

The first is simple and easy to do, the second is a bit more work. Another way that just came to mind though is to through php execute a system command such as useradd $user and check return. This requires sudo though.

Chris  2010-07-24 23:53:06
Sorry for the late reply, but I don't understand how would using useradd help in this situation. Do you think you could clarify that part?
CyberShadow  2010-07-28 18:39:35
A: 

I could also try to connect to localhost via FTP or SSH with said username/password to validate it.

That's what I did in the end (using PHP ssh2 extension). Local commands are also ran via the same connection, under the user's credentials.

CyberShadow  2010-07-31 14:19:31
A: 

If you wanted a more native way you can either roll your own. I would look more into PAM: pam_authenticate.

I mean, you SHOULD be able to create an application that authenticates but doesn't require root using PAM, for example sudo.

But, if you wanted a simpler solution you could just call: 

Source login.sh

#!/bin/bash
su $1 < `echo $2` #Need echo for the newline

In the PHP code as an exec statement to login.sh with the first parameter being username and the second being the password.

Nathan Adams  2010-07-31 20:01:22
"I mean you SHOULD be able to create an application that authenticates but doesn't require root using PAM, for example sudo." I don't think so - isn't sudo setuid-as-root?
CyberShadow  2010-08-01 08:30:56
I mentioned messing with system commands like `sudo` in my question, however the main problem with using login utilities such as `su` is that they are not designed for automatic password authentication. Even though sudo does have a -S flag to read the password from stdin, the app still needs to deal with parsing output and repeated password prompts and the artificial delays for incorrect passwords.
CyberShadow  2010-08-01 08:36:05
@CyberShadow I don't know what the precise definition of sudo is, but I do know what it does - it allows you to run an application as root or another user. The key here is that I am under the impression is that tools like su and sudo do NOT read the shadow file directly they ask something like PAM if the user/pass is correct as a username/password can come from say LDAP. I guess what I am trying to say is that attempting to read the shadow file is the wrong approach to trying to auth users.
Nathan Adams  2010-08-01 16:50:23
AFAIK, su/sudo DO access PAM, but not via a service or anything, but they load PAM as a library. That means that PAM code is executed with the same privileges as su/sudo. This means that su/sudo, and any code which uses PAM for authentication, needs to be able to access the shadow file.
CyberShadow  2010-08-01 19:06:46
That doesn't make sense, if I launch su, su is running under my privileges which means that su can't access the /etc/shadow file. PAM has to have something sitting outside the normal user level.I tried to find some more information on PAM, but from what I can tell its not a kernel module...it just kind of sits there. I want to read something that explains the technical details of how PAM works and where it sits in the OS...but it seems to be buried somewhere on the net.
Nathan Adams  2010-08-01 22:49:22
Sorry for the late reply. Just wanted to point out that system utilities like `su` and `sudo` are "suid root", meaning that they always run as root, no matter which user runs them.
CyberShadow  2010-08-18 06:49:25

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases