Programming Forums > Web Development and Design > PHP

titaniumdecoy · May 10th, 2006, 1:55 PM

I'm not sure whether this should be under PHP or Bash/Shell Scripting.

I'm attempting to write a PHP frontend for the Unix rcs utility for a classroom environment. In order to work with multiple users I need to verify the password that user enters coincides with that user's account name on the server. How can I do this? What I have come up with so far is the following:

(Toggle Plain Text)

// Read $user and $pass and run through 
// escapeshellarg()/escapeshellcmd() functions
$result = system("echo $pass | login $user");

Is using login insecure or a bad idea for some reason? More importantly, after this code has been executed (assuming the login was successful) will further calls to system() be under this user? Is there any way to test the output ($result) of this call to determine whether the login was successful under any Unix system (as the output after login varies on most systems)? Is there a better way to accomplish this?

Thanks.

titaniumdecoy · May 10th, 2006, 6:35 PM

An update since my last post...

I've determined that the best way to go about verifying user passwords would be to read the encrypted password in /etc/passwd or /etc/shadow.

I need to give my PHP script read-only access to that file, without changing that file's permissions (it is a system file). Is this possible? Thanks.

EDIT: Oops, I was trying to use popen() instead of fopen(). However I am still curious how one would go about increasing a PHP script's permissions, if anyone knows.

titaniumdecoy · May 11th, 2006, 1:50 PM

I feel like I'm talking to myself here... :p

I now have the script I described above working, so I can verify a username/password against Unix /etc/passwd or /etc/shadow files.

Does anyone know if it is possible to "re-login" to the shell through a PHP script under a different user? For example, is it possible to re-login under a different username (eg, system("echo $pass | login $user") ), and will this affect subsequent calls to system() be under this username or will the shell be "reset"?

mackenga · May 11th, 2006, 2:36 PM

Shelling out and executing login (or su, or setting environment variables) will only have effective changes as long as the shell that ran the commands in question is executing. As soon as that shell terminates and returns to your PHP code, the changes are forgotten.

I'm actually not sure how you'd go about checking if someone has the right password since I've never had to do this from inside a server-side script or similar, but I do know that making /etc/shadow readable by anyone other than root is BAD as it defeats the purpose of using the shadow file, and making a PHP script execute as root is far, far worse.

The shell-out line that you suggested also has a serious flaw; what if someone taps "blah; rm -rf /" in as their username? Anything the webserver has write access to is removed. There are also more imaginative things they might do - suffice it to say they can do pretty much anything unless you do some simple check (e.g. ensuring that there are only alphanumeric / other valid password characters in the username given, etc.).

Like I say, I don't have a great suggestion for how you could check the passwords are valid. I'd probably use separate sign-on details for the web interface rather than trying to reuse the Unix accounts, but that's just me (maybe I'm just lazy). If it's very important to use the Unix accounts to log in to your PHP-based system, I have a very vague idea that something called PAM may be involved - I hope this is a decent starting point for you.

Best of luck!

May 10th, 2006, 1:55 PM	#1
titaniumdecoy Expert Programmer Join Date: Nov 2005 Posts: 837 Rep Power: 3	Using the shell to check passwords? I'm not sure whether this should be under PHP or Bash/Shell Scripting. I'm attempting to write a PHP frontend for the Unix rcs utility for a classroom environment. In order to work with multiple users I need to verify the password that user enters coincides with that user's account name on the server. How can I do this? What I have come up with so far is the following: (Toggle Plain Text) // Read $user and $pass and run through // escapeshellarg()/escapeshellcmd() functions $result = system("echo $pass \| login $user"); // Read $user and $pass and run through // escapeshellarg()/escapeshellcmd() functions $result = system("echo $pass \| login $user"); Is using login insecure or a bad idea for some reason? More importantly, after this code has been executed (assuming the login was successful) will further calls to system() be under this user? Is there any way to test the output ($result) of this call to determine whether the login was successful under any Unix system (as the output after login varies on most systems)? Is there a better way to accomplish this? Thanks.

May 11th, 2006, 2:36 PM	#4
mackenga Professional Programmer Join Date: Mar 2005 Location: Glasgow, Scotland Posts: 314 Rep Power: 4	Shelling out and executing login (or su, or setting environment variables) will only have effective changes as long as the shell that ran the commands in question is executing. As soon as that shell terminates and returns to your PHP code, the changes are forgotten. I'm actually not sure how you'd go about checking if someone has the right password since I've never had to do this from inside a server-side script or similar, but I do know that making /etc/shadow readable by anyone other than root is BAD as it defeats the purpose of using the shadow file, and making a PHP script execute as root is far, far worse. The shell-out line that you suggested also has a serious flaw; what if someone taps "blah; rm -rf /" in as their username? Anything the webserver has write access to is removed. There are also more imaginative things they might do - suffice it to say they can do pretty much anything unless you do some simple check (e.g. ensuring that there are only alphanumeric / other valid password characters in the username given, etc.). Like I say, I don't have a great suggestion for how you could check the passwords are valid. I'd probably use separate sign-on details for the web interface rather than trying to reuse the Unix accounts, but that's just me (maybe I'm just lazy). If it's very important to use the Unix accounts to log in to your PHP-based system, I have a very vague idea that something called PAM may be involved - I hope this is a decent starting point for you. Best of luck! __________________ "I'm not a genius. Why do I have to suffer?"

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

May 10th, 2006, 6:35 PM	#2
titaniumdecoy Expert Programmer Join Date: Nov 2005 Posts: 837 Rep Power: 3	An update since my last post... I've determined that the best way to go about verifying user passwords would be to read the encrypted password in /etc/passwd or /etc/shadow. I need to give my PHP script read-only access to that file, without changing that file's permissions (it is a system file). Is this possible? Thanks. EDIT: Oops, I was trying to use popen() instead of fopen(). However I am still curious how one would go about increasing a PHP script's permissions, if anyone knows.

May 11th, 2006, 1:50 PM	#3
titaniumdecoy Expert Programmer Join Date: Nov 2005 Posts: 837 Rep Power: 3	I feel like I'm talking to myself here... :p I now have the script I described above working, so I can verify a username/password against Unix /etc/passwd or /etc/shadow files. Does anyone know if it is possible to "re-login" to the shell through a PHP script under a different user? For example, is it possible to re-login under a different username (eg, system("echo $pass \| login $user") ), and will this affect subsequent calls to system() be under this username or will the shell be "reset"?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Web Development and Design > PHP

Using the shell to check passwords?