[ back to toc ]

reading etc/shadow file using cgi/perl script

Date: 2002/04/18 10:16

how can we read the shadow file of linux (which has the permission set as
600 )using cgi/perl script (purpose :for user authentication).the server
is running as 'nobody' and is showing the error 'permission denied' when
trying to access the shadow file through a perl script from a webbrowser,
even though the script owner is root(the scripts is edited, and saved with
root id). the same script works fine when executed from console(in console
the uid is 0, while when exectued from a webbrowser the uid is 99 (
corresponds to 'nobody').Web server is Apache(version 1.3.17).

Can this be solved by Configuring the webserver to execute setuid
program?but Apache is believed to refuse to run setuid for uid below
certain UID and program with setuid 0 most likely will NOT be
executed.How can apache be configured for this, if it will solve the above

please giv me a solution.....
If I were you I would not configure Apache to run scripts setuid. This
would lead to security risk. Instead I would use some other Apache
authentication module.

Regarding your question:

>Can this be solved by Configuring the webserver to
>execute setuid program?

Yes, and no. Yes, it does, but Apache will refuse to run root setuid
programs unless you hack the source.


Thanx for this quick reply,Peter
But that was one of the solutions suggested by an expert to solve my
original problem,ie reading the shadow file.can u suggest a way out?i m
new to perl/cgi.

I can suggest solution, but none of the solutions are simple. Either you
have to modify Apache to allow root setuid scripts to run. Or you can
write a daemon that runs in the name of the user 'root' and can comunicate
with the CGI script.

This can be done forexample using already existing mailer demon and using
the Net::pop3 module trying to log in to the POP3 server from the CGI
script using the user name/passowrd provided by the user. If it can log in
(on the same machine) then the authentication is ok.

Why do not you use some already crafted authetication module delivered for
Apache? What is your original problem?


[ back to toc ]