I have written a cgi-bin application in C that runs in a browser and allows the user to open an interactive shell and view & edit files on a Linux machine. It runs as the standard apache "www-data" user. I just added a login screen to it where the user types in their name and password (in a form) but I cannot authenticate the user using <strong>getspnam</strong> since this function only works when running as root.
What options do I have to check the login credentials of a user when not running as root?
PS: In my interactive shell I can type "su root" and then type in my password and it does elevate to root fine so it obviously can be done interactively.Answer1:
With regard to your PS: Well, when you do a
su root you're switching to the root user. So yes, of course, root can read the shadow file, you all ready said that.
With regard to your problem: Can't you have your apache processes temporarily elevate to root (by calling
setuid or similar) to perform the authentication?
I think you want to take a look at <a href="http://en.wikipedia.org/wiki/Linux_PAM" rel="nofollow">Pluggable authentication modules</a>. AFAIK, PAM handles all the messy stuff for you and you just need to do a few function calls to authenticate the user on whatever the backend to authenticate users on the Linux host is (be it shadow passwords, nis, ldap, whatever)
Here's a short <a href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_MWG.html" rel="nofollow">guide</a> about integrating your C code with them.Answer3:
As suggested, I think PAM is the modern way to do this. But if you want to go old school, you need to create a setuid-root program (not a script) to do your authentication.
There are lots of gotchas with setuid-root programs, which is why PAM is likely better.
<a href="http://nob.cs.ucdavis.edu/bishop/secprog/" rel="nofollow">Here's a link</a> to some good papers on safely writing setuid-root programs.