Date: Sun, 22 Aug 1999 12:49:10 -0400 (EDT) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: colinj@cs.unm.edu (Colin Eric Johnson) Subject: Re: getting passwored data via a perl cgi Message-ID: <199908230206.WAA24192@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <Pine.LNX.4.10.9908220956330.5398-100000@portico.cs.unm.edu> from Colin Eric Johnson at "Aug 22, 99 09:57:31 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Colin Eric Johnson wrote,
>
> I'm in the process of writing a cgi script in perl that should verify
> people against the machines password file. The problem that I am running
> into is that if the script is run by anyone other then root I get an
> empty encrypted password field.
>
> I don't want to run the cgi SUID root as this doesn't seem safe.
>
> Is there a way to allow other users access to complete password database?
> I understand, basically, why this is restricted but I'm not sure how else
> to solve this given FreeBSDs restrictions.
Not sure if this is the prefered way to go but...
I worked around a problem like this in a shell script by executing
su. IIRC, I did something like,
if su $USERNAME -c :; then
.
.
Provided you have not redirected stdout or stdin, the person executing
the script gets prompted for 'Password:' and it is fed to su which
does the verification for you. su will only exit on success if the
password is correct and the user has login capabilities.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908230206.WAA24192>