PHP: authenticate local unix user (without direct access to /etc/shadow)
https://stackoverflow.com/questions/3326531
-
29-09-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Given a username and password, I need to check if there's a user on the local system with said username and password.
I'm aware of posix_getpwnam and using the PAM package, but both of these methods require that the PHP script have access to /etc/shadow. I'd rather not mess with permissions of system files or daemon users.
I imagine that this could be done either by messing with standard system commands such as sudo, or by writing my own small setuid C program. I could also try to connect to localhost via FTP or SSH with said username/password to validate it. Is there a simpler way?
Solution 3
I could also try to connect to localhost via FTP or SSH with said username/password to validate it.
That's what I did in the end (using PHP ssh2 extension). Local commands are also ran via the same connection, under the user's credentials.
OTHER TIPS
If you wanted a more native way you can either roll your own. I would look more into PAM: pam_authenticate.
I mean, you SHOULD be able to create an application that authenticates but doesn't require root using PAM, for example sudo.
But, if you wanted a simpler solution you could just call:
Source login.sh
#!/bin/bash
su $1 < `echo $2` #Need echo for the newline
In the PHP code as an exec statement to login.sh with the first parameter being username and the second being the password.
I believe ftp/ssh is a slick way of doing it assuming the system is always running these.
Another possibility for permissions sake, is to write some script thatll pull those users from /etc/shadow and run this script as a cron job to regularly update it. This script creates a file with permissions only specific to user running your web (apache and what not) and can check with this file or even database the entries to mysql if you really wanted to get crazy.
The first is simple and easy to do, the second is a bit more work. Another way that just came to mind though is to through php execute a system command such as useradd $user and check return. This requires sudo though.
