LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-09-2009, 04:18 AM   #1
a7mlinux
Member
 
Registered: Apr 2009
Distribution: RHEL 5, Fedora 10
Posts: 116

Rep: Reputation: 17
Unhappy username and password


hi dudes, I have a php interface contains:
enter username:
enter password:
and I want to save (append) $username and $password in /etc/passwd and /etc/shadow, how can I do this
 
Old 08-09-2009, 04:33 AM   #2
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
The program executing your php would have to have root permissions - by design, webservers don't, usually running as their own user with no special access to anything.

This seems like an extraordinarily bad idea - what exactly are you trying to do?

Edit: to clarify, there might be some ugly ways to let this happen other than running apache as root - such as having your php call something which is setuid root - but the point is that you need privileges to edit those files and you're trying to do that from an application that traditionally runs unprivileged for (very sound) security reasons.

Last edited by karamarisan; 08-09-2009 at 04:35 AM.
 
Old 08-09-2009, 05:31 AM   #3
a7mlinux
Member
 
Registered: Apr 2009
Distribution: RHEL 5, Fedora 10
Posts: 116

Original Poster
Rep: Reputation: 17
I'm trying to design a webmail from scratch, user accounts in the webmail are the same users in system, any idea to do this
 
Old 08-09-2009, 06:00 AM   #4
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Heh, that's an ambitious project. Well, as you may have guessed, I recommend you avoid messing with the system users and instead store your own login info. Have you heard of the principle of least privilege? It's a good idea to get that into your head when thinking about software in general, but the significance of it for this project is that unless you can come up with a compelling reason why you it's worth giving this program the ability to mess with system users (and potentially creating other vulnerabilities), you shouldn't.

Suggestions: You could use htpasswd, which should already be in place and stores info in regular files stored wherever, or you if you're already interfacing with a database, you could store them there (don't forget to hash your users' passwords!).

Edit: I may be missing you slightly. If you absolutely, absolutely can't avoid using system users, you could look into programming with pam. Dunno about adding - using sudo to let you add a password without a user still presents the problem that a malicious entity could add a user, ssh in, and be one step closer to gaining control of your system.

Last edited by karamarisan; 08-09-2009 at 06:04 AM.
 
Old 08-09-2009, 08:47 AM   #5
a7mlinux
Member
 
Registered: Apr 2009
Distribution: RHEL 5, Fedora 10
Posts: 116

Original Poster
Rep: Reputation: 17
the core of my work is using imap with fuction:
Code:
$mbox = imap_open("{localhost:143}INBOX", "user_id", "password");
to open inbox, and here the "user_id" and "password" belong to specific system user
 
Old 08-10-2009, 01:20 AM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Another option is to store the details in MySQL, but the main point is its not a good idea to let users create accts in the passwd and shadow files.
As said above, that requires root style privs AND it would also make them a valid user via eg ssh if they manage to get a cxn.
 
Old 08-10-2009, 01:40 AM   #7
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Okay - so if you're just building a frontend to an IMAP server, the external server is taking care of authentication and you're just passing credentials through to it. What would 'it' be in this case? If you want people not already on your system to be able to create accounts, you probably want a server that will use its own auth database. I don't have any relevant experience in picking such a thing, but it should be easy to research.
 
Old 08-11-2009, 05:25 AM   #8
a7mlinux
Member
 
Registered: Apr 2009
Distribution: RHEL 5, Fedora 10
Posts: 116

Original Poster
Rep: Reputation: 17
thanks alot dudes, I know there is a fool security bug when I give the web server root privileges to append the password to /etc/shadow, but in my case I don't care about security concerns, my challenge is to add the password, any help?
thanks in advance
 
Old 08-11-2009, 07:14 AM   #9
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
If you insist on doing this, look into setuid. You could make a script that runs useradd and passwd for you, setuid root it, and have your php invoke that.

Two final thoughts:
1) You may be fundamentally undermining the security of your system if you do this. It's easy to say you accept the risk now; security is one of those things that never seems like it's worth the effort until after you needed it.
2) One of the consequences of ignoring the rules because you don't feel like following them is that people are often much less willing to help you. Most of the people at places like this who are good and can help are good because they know the rules of how to run a Linux system, and will be less inclined to spend time on people who don't understand why our predecessors came up with them in the first place. One might say you're making the entire Internet a little weaker by needlessly creating a weak link.
 
Old 08-11-2009, 07:32 AM   #10
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,446
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
Quote:
Originally Posted by a7mlinux View Post
thanks alot dudes, I know there is a fool security bug when I give the web server root privileges to append the password to /etc/shadow, but in my case I don't care about security concerns, my challenge is to add the password, any help?
thanks in advance
Only a burned baby dreads the fire. So here you go.

on shell:
Create a dir where the webserver has write permission.

inside php:
Create a temporary file with the name and password for the user

inside a cronjob:
look for a file inside the dir and use this information to execute useradd

Or

have apache run as root and do a
PHP Code:
system'/usr/sbin/useradd -p secret username'
Or

have the apache user to be allowed to sudo useradd and do the same as above

Or

Setup and virtual mailer and safe the world

http://struction.de/projects/HOWTO_V...ex?set_lang=en


Cheers Zhjim
 
Old 08-11-2009, 08:26 AM   #11
sabir_mustafa
Member
 
Registered: Aug 2009
Location: Rawalpindi
Distribution: RHEL 5, CentOS
Posts: 38

Rep: Reputation: 16
can "sudo" commmand of any help in this whole scenerio?
 
Old 08-11-2009, 08:43 AM   #12
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
From a making-it-happen standpoint, yes. You could allow the user apache runs as to `sudo useradd *` without a password, and it'd have largely the same effect as what I said about using setuid earlier.
From a security standpoint, that doesn't help at all.
 
Old 08-11-2009, 09:18 AM   #13
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,446
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
Quote:
Originally Posted by karamarisan
From a security standpoint, that doesn't help at all.
True. The last one of my options, to create a virtual mailer, is the safest. The other three are mere mockups.
 
Old 08-11-2009, 10:10 AM   #14
a7mlinux
Member
 
Registered: Apr 2009
Distribution: RHEL 5, Fedora 10
Posts: 116

Original Poster
Rep: Reputation: 17
Wink

Quote:
Originally Posted by karamarisan View Post
If you insist on doing this, look into setuid. You could make a script that runs useradd and passwd for you, setuid root it, and have your php invoke that.

Two final thoughts:
1) You may be fundamentally undermining the security of your system if you do this. It's easy to say you accept the risk now; security is one of those things that never seems like it's worth the effort until after you needed it.
2) One of the consequences of ignoring the rules because you don't feel like following them is that people are often much less willing to help you. Most of the people at places like this who are good and can help are good because they know the rules of how to run a Linux system, and will be less inclined to spend time on people who don't understand why our predecessors came up with them in the first place. One might say you're making the entire Internet a little weaker by needlessly creating a weak link.
I know there are alot of professionals here, but I'm just a beginner here, and am just trying to start with simple things and take them as a base and then do the big step, why you don't take a look at my signature ;-)
I'm realy appreciate your post man

Last edited by a7mlinux; 08-11-2009 at 10:14 AM.
 
Old 08-11-2009, 10:27 AM   #15
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
It's good that you are experimenting (and if you're interested, I don't think most of us are professionals - I'm certainly not). However, mistakes are usually accidents. We've explained to you why this is a bad idea; what are you going to learn by ignoring that and doing it anyway? Hell, I'd say you'll learn the most by sticking to good practices as soon as you can.

zhjim put it wonderfully: only a burned baby dreads the fire. Don't be the burned baby if you can avoid it. :P
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What username and password to use for . . . royeo Linux - Newbie 1 09-27-2006 11:37 PM
Username/Password Help FindingWaldo763 Linux - Newbie 7 12-18-2005 07:15 PM
username and password no go bmd Linux - Newbie 7 04-06-2005 08:26 PM
username/password sailu_mvn Programming 5 12-21-2004 03:21 AM
No username and password Tec1 Linux - Software 1 08-10-2003 09:38 AM


All times are GMT -5. The time now is 04:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration