The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Verifying user's password in MySQL

Discussion in 'General Discussion' started by lamp, Nov 10, 2005.

  1. lamp

    lamp Well-Known Member

    Joined:
    Dec 22, 2003
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    I wanted to know your opinion on the following.

    I have written a web interface for my clients and would like them to log into it using their cpanel username & password.

    Since the /etc/shadow is only readable by root and my perl authentication script is run as 'tomcat' or 'nobody', I decided to authenticate them using the MySQL 'user' table. This seems to be working fine and I cannot see any drawback.

    What is your opinion on authenticating my users in such a way? Is there a better way of doing what I am trying to accomplish here?

    Thanks.
    Lamp
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Your main concern will be with the fact that the passwords stored in /etc/shadow and the MySQL 'user' table might not always be the same.

    Within a cPanel environment, they should always be the same, assuming that all the correct files/database tables are modified/updated correctly when a user changes their password, however there is no definitive relationship between the relevant file and database table - in short, it's just by design that you see a relationship between /etc/shadow and the MySQL 'user' table. If the design changes, the relationship is no longer present and your script breaks.

    The only reliable method would be to authenticate against /etc/shadow as this, cPanel or no cPanel, should always be the same (unless your OS screws up in which case you'll have plenty of things to worry about other than /etc/shadow containing invalid data).

    Therefore all you need to ensure is that your authentication script runs as root so that you will be able to check the contents of /etc/shadow. This should be possible through a cunning use of the remote access features. I have a selection of scripts that execute as root called via remote access that I utilise for automated tasks, although in my case these are PHP scripts although the same principles may apply to Perl.

    If you like I'll post a very simple PHP example of how to get scripts running as root as perhaps you can then figure out a similar method for Perl.
     
  3. lamp

    lamp Well-Known Member

    Joined:
    Dec 22, 2003
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Hi webignition,

    You make some very good points that should not be overlooked. I would really appreciate some PHP example (which you described in your post).

    Thanks.
    Lamp
     
Loading...

Share This Page