faqts : Computers : Programming : Languages : PHP : Common Problems : Security

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

7 of 15 people (47%) answered Yes
Recently 5 of 10 people (50%) answered Yes

Entry

Using PHP3, is there a way to authenticate a user without having to create a second user file. I want to use the master password list in the etc dir

Jan 27th, 2001 15:23
Carlos Ferreyra, George Federuik, 


One somehow insecure way of authenticating a user against the
/etc/passwd file in PHP is to build an external program that reads
"username password" on standard input and responds "Authenticated" or 
"Not authenticated" or returns a different exit code. 
In a shadow-passwd-file linux, this program should be built using the
Linux-PAM libraries and here comes the security problem: Use a
permitting PAM modules stack (dangerous, everyone could use the
program!) or make the program setuid root with group "phpauth" being
phpauth the only allowed to read the dir and execute the program and
then run the Apache (ergo PHP) with this new group. The problem here is
to avoid a brute force attack in this program.
I've run off of an urgent job with this thing and I don't like it, I 
think it's better to have a second user list for the service offered.
The program I did once can be found on
http://www.dmc.com.ar/~ixnay/authuser.c
-- sorry about that spanish comments :)