From owner-freebsd-security  Mon Aug 23  5:26: 5 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.sminter.com.ar (ns1.via-net-works.net.ar [200.10.100.10])
	by hub.freebsd.org (Postfix) with ESMTP id 7F88F156A0
	for <freebsd-security@FreeBSD.ORG>; Mon, 23 Aug 1999 05:25:53 -0700 (PDT)
	(envelope-from fpscha@ns1.sminter.com.ar)
Received: (from fpscha@localhost)
          by ns1.sminter.com.ar (8.8.5/8.8.4)
	  id JAA05046; Mon, 23 Aug 1999 09:26:28 -0300 (GMT)
Message-Id: <199908231226.JAA05046@ns1.sminter.com.ar>
Subject: Re: getting passwored data via a perl cgi
In-Reply-To: <Pine.LNX.4.10.9908220956330.5398-100000@portico.cs.unm.edu> from Colin Eric Johnson at "Aug 22, 99 09:57:31 am"
To: colinj@cs.unm.edu (Colin Eric Johnson)
Date: Mon, 23 Aug 1999 09:26:28 -0300 (GMT)
Cc: freebsd-security@FreeBSD.ORG
From: Fernando Schapachnik <fpscha@via-net-works.net.ar>
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

En un mensaje anterior, Colin Eric Johnson escribió:
> 
> I'm in the process of writing a cgi script in perl that should verify
> people against the machines password file. The problem that I am running
> into is that if the script is run by anyone other then root I get an
> empty encrypted password field. 
> 
> I don't want to run the cgi SUID root as this doesn't seem safe.
> 
> Is there a way to allow other users access to complete password database?
> I understand, basically, why this is restricted but I'm not sure how else
> to solve this given FreeBSDs restrictions.

For a similar problem I decided to use the SuExec feature of Apache. 
Basically you create a wrapper that talks to a suid program exchanging 
minimun (and because of this, easily veryfied) information. SuExec 
performs a *lot* of security checks. You can read more about SuExec in 
the Apache documentation.

Good luck!



Fernando P. Schapachnik
Administración de la red
VIA Net Works Argentina SA
Diagonal Roque Sáenz Peña 971, 4º y 5º piso.
1035 - Capital Federal, Argentina. 
(54-11) 4323-3333
http://www.via-net-works.net.ar


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message