From owner-freebsd-security  Sun Aug 22 19: 6:17 1999
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 9C86414C81
	for <freebsd-security@freebsd.org>; Sun, 22 Aug 1999 19:06:12 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id WAA24192
	for freebsd-security@freebsd.org; Sun, 22 Aug 1999 22:06:01 -0400 (EDT)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199908230206.WAA24192@cc942873-a.ewndsr1.nj.home.com>
Subject: Re: getting passwored data via a perl cgi
In-Reply-To: <Pine.LNX.4.10.9908220956330.5398-100000@portico.cs.unm.edu> from Colin Eric Johnson at "Aug 22, 99 09:57:31 am"
To: colinj@cs.unm.edu (Colin Eric Johnson)
Date: Sun, 22 Aug 1999 12:49:10 -0400 (EDT)
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Colin Eric Johnson wrote,
> 
> I'm in the process of writing a cgi script in perl that should verify
> people against the machines password file. The problem that I am running
> into is that if the script is run by anyone other then root I get an
> empty encrypted password field. 
> 
> I don't want to run the cgi SUID root as this doesn't seem safe.
> 
> Is there a way to allow other users access to complete password database?
> I understand, basically, why this is restricted but I'm not sure how else
> to solve this given FreeBSDs restrictions.

Not sure if this is the prefered way to go but...

I worked around a problem like this in a shell script by executing
su. IIRC, I did something like,

    if su $USERNAME -c :; then
    .
    .

Provided you have not redirected stdout or stdin, the person executing
the script gets prompted for 'Password:' and it is fed to su which
does the verification for you. su will only exit on success if the
password is correct and the user has login capabilities.
-- 
Crist J. Clark                           cjclark@home.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message