tags:

views:

512

answers:

3
+1  Q: 

Easiest way to authenticate users in Linux/Unix w/o root permissions

Hi All,

I'm writing a cross-platform TCP/IP server and I need to authenticate users before servicing them. Requirements stipulate that I use "native" authentication of the platform and not create my own authentication mechanism.

For Linux/Unix OS family I use getpwnam to authenticate users and the most reliable way I know to make sure this works is to start my service as root. There're no other reasons for the service to run as root and I wonder what my options are? Can I call getpwnam while not being root w/o compromising security? Or, if there're alternatives to getpwnam, how portable are they and how "administrator-friendly" in a sense of "what configuration effort they require? The reason why independent authentication mechanism is off the table is exactly that it creates "too much a configuration effort".

A: 

Using getpwnam() does not require root privileges.

Trying to get information from the shadow password file, or AFAIK using PAM, does require root privileges, and that presents some problems. However, you might be able to start your process as root, initialize access to PAM, and then drop privileges. That is unconfirmed speculation, but is at least somewhat plausible.

Note that in most systems, getpwnam() does not return you an encrypted (or hashed) password. So, you need to consider carefully what you are planning to do to 'authenticate' the user.

Jonathan Leffler  2009-06-08 20:32:54
Yes, I also check getspnam result out before giving up authenticating the user. Was reasonably successful on Linux distros and Solaris so far.
Oleg Zhylin  2009-06-08 21:13:24
I'm not sure about the 'root for PAM' bit. I've seen some problems where it appeared that root privilege was needed, but my test example isn't working as either root or non-root (but with different errors, neither of them very helpful). More investigation soon - I hope.
Jonathan Leffler  2009-06-09 00:45:56
+1  A: 

Have you taken a look at PAM authentication?

mysomic  2009-06-08 20:34:34
From what I remember, PAM has restrictions for programs that change their user while running. This is why, for instance, Apache can't access PAM from its child processes.
R. Bemrose  2009-06-08 20:43:41
My application would have to be PAM aware. How much will it benefit admins? PAM is usually not installed by default as far as I know.
Oleg Zhylin  2009-06-08 21:19:11
+1  A: 

Use SASL, for example Cyrus SASL. No root privileges required and all popular Linux distributions support it. I'm using it to authenticate users of intranet site served by Apache and written in Python. Among others Sendmail and Postfix use it for authentication.

Tometzky  2009-06-11 11:43:06
+1. If you want to use PAM (or shadow directly) with this method you'll need to use the plain mechanism. As the name infers, this means you'll have passwords coming in unencrypted which is no good. You'll need to provide your own encryption on the connection to keep the passwords out of the enemy's hands.
EvilRyry  2009-06-11 11:59:46

related questions

Obscuring network proxy password in plain text files on Linux/UNIX-likes
Why doesn't **find** find anything?
Getting stack traces on Unix systems, automatically
Differences between unix and windows files
How do you do a case insensitive search using a pattern modifier using less ?
Using Visual Studio to develop for C++ for Unix
How do I generate ASCII codes 2 and 3 in a Bash command line?
What's in your .procmailrc
Allow user to set up an SSH tunnel, but nothing else
What is PHP Safe Mode GID?
How to avoid redefining VERSION, PACKAGE, etc.
How can I encode xml files to xfdl (base64-gzip)?
Faster way to find duplicates conditioned by time
Date arithmetic in Unix shell scripts
Using Xming X Window Server over a VPN
Windows Equivalent of 'nice'
How do I configure and communicate with a serial port?
Choosing a static code analysis tool
What should a longtime Windows user know when starting to use Linux?
How do I use (n)curses in Ruby?
Process size on UNIX
Getting root permissions on a file inside of vi?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
Fastest way to get value of pi