Using getpwnam() with CGI

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I am trying to create a script to install spam filters on a per user
The script will have a web UI where the user should be able to login
enable or disable the filters.  My original script, which was a
perl script, used User::pwent getpwnam() to get the user's encrypted
password from the shadow file and compare it with the encrypted
that the user submitted.  This worked perfectly.  Unfortunately, when I
it from a command line, the passwd object passed by getpwnam() is
always 'x'
which it is grabbing from the passwd file.  Does anyone know how I can

Here are the important parts of the code:

#!/usr/bin/suidperl -U
$current_id = $<; #get the current user id
my($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell) =
getpwnam("root"); #get user nobody's details
$< = $uid;

use User::pwent;
use CGI qw(:standard);
use CGI::Carp qw(fatalsToBrowser);

sub authUser {
        # set sub variables
        my($username,$userpass,$password) = @_;
        if ( crypt($password,$userpass) eq $userpass ) {
                return 1;
        } else {
                return 0;


        # Set UserInfo
        my $user = getpwnam($mailbox);
        my $username = $user->name;
        my $userpass = $user->passwd;
        my $userdir  = $user->dir;
        my $useruid  = $user->uid;
        my $usergid  = $user->gid;

Jason Williard

Re: Using getpwnam() with CGI

Williard wrote:
Quoted text here. Click to load it

Running it as root is your only option. /
Be sure you know what you're doing.

Vorxion - Founder of the knocking-shop of the mind.

"You have it, you sell it, you've still got it--what's the difference?"
--Diana Trent, "Waiting for God", on why a modelling agency is really a
knocking-shop.  Applied by me to the field of consulting.  :)

The Sci-Fi fan's solution to debt:  Reverse the polarity on your charge card.

Re: Using getpwnam() with CGI

On Sat, 22 Apr 2005, Jason Williard wrote (reflowed to usenet

Quoted text here. Click to load it

This has nothing specific to do with the Perl language, but... Keeping
crypted passwords in a shadow file is a valuable security measure.  
By contrast, asking users to type-in their login password to a web
page is, in general, a dangerous practice.  Let's hope you're at least
briefing them *never* to type their password without verifying that
they have a secure (https) channel, with verified certificate, to
*your* server.

Quoted text here. Click to load it

The whole point of shadow passwords is that they're hidden from
unprivileged processes.

The "clean" way to deal with this in Linux is to use the Linux-PAM
API.  Other OSes should offer equivalent mechanisms.

Trying to program this directly yourself with root privs from a CGI
process opens up vast security holes, IMHO.  And takes away
flexibility if you ever want to restructure your authentication
scheme.  Take a look on CPAN for PAM authentication module.

Site Timeline