Date: Sun, 22 Aug 1999 17:17:58 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: roberto@keltia.freenix.fr (Ollivier Robert) Cc: freebsd-security@FreeBSD.ORG Subject: Re: getting passwored data via a perl cgi Message-ID: <199908230017.RAA33539@gndrsh.dnsmgr.net> In-Reply-To: <19990822223619.B11240@keltia.freenix.fr> from Ollivier Robert at "Aug 22, 1999 10:36:19 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> According to Colin Eric Johnson:
> > Is there a way to allow other users access to complete password database?
> > I understand, basically, why this is restricted but I'm not sure how else
> > to solve this given FreeBSDs restrictions.
>
> Either you make it setuid root or you wipe up a daemon that runs as root and
wip?
> make your script discuss with the daemon. The daemon could cache entries for
> example (although pwd lookups should be fast thanks to the DB files).
You can find a program used by cyrus for just what you are trying to
do in ports/mail/cyrus, it's called pwcheck. There are probably some
others around, this is just one that I ran accross recently.
IMHO making your cgi script suid root would be asking for a security
breach some day, probably sooner than latter. Cyrus is a a large
daemon, but it took this route for dealing with this problem for good
reasons.
--
Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908230017.RAA33539>