Verifying user's password in MySQL

L

lamp

Well-Known Member
Dec 22, 2003
111
0
166
Hello,

I wanted to know your opinion on the following.

I have written a web interface for my clients and would like them to log into it using their cpanel username & password.

Since the /etc/shadow is only readable by root and my perl authentication script is run as 'tomcat' or 'nobody', I decided to authenticate them using the MySQL 'user' table. This seems to be working fine and I cannot see any drawback.

What is your opinion on authenticating my users in such a way? Is there a better way of doing what I am trying to accomplish here?

Thanks.
Lamp
 
W

webignition

Well-Known Member
Jan 22, 2005
1,876
1
166
lamp said:
Hello,

I wanted to know your opinion on the following.

I have written a web interface for my clients and would like them to log into it using their cpanel username & password.

Since the /etc/shadow is only readable by root and my perl authentication script is run as 'tomcat' or 'nobody', I decided to authenticate them using the MySQL 'user' table. This seems to be working fine and I cannot see any drawback.

What is your opinion on authenticating my users in such a way? Is there a better way of doing what I am trying to accomplish here?

Thanks.
Lamp
Click to expand...
Your main concern will be with the fact that the passwords stored in /etc/shadow and the MySQL 'user' table might not always be the same.

Within a cPanel environment, they should always be the same, assuming that all the correct files/database tables are modified/updated correctly when a user changes their password, however there is no definitive relationship between the relevant file and database table - in short, it's just by design that you see a relationship between /etc/shadow and the MySQL 'user' table. If the design changes, the relationship is no longer present and your script breaks.

The only reliable method would be to authenticate against /etc/shadow as this, cPanel or no cPanel, should always be the same (unless your OS screws up in which case you'll have plenty of things to worry about other than /etc/shadow containing invalid data).

Therefore all you need to ensure is that your authentication script runs as root so that you will be able to check the contents of /etc/shadow. This should be possible through a cunning use of the remote access features. I have a selection of scripts that execute as root called via remote access that I utilise for automated tasks, although in my case these are PHP scripts although the same principles may apply to Perl.

If you like I'll post a very simple PHP example of how to get scripts running as root as perhaps you can then figure out a similar method for Perl.
 
L

lamp

Well-Known Member
Dec 22, 2003
111
0
166
webignition said:
If you like I'll post a very simple PHP example of how to get scripts running as root as perhaps you can then figure out a similar method for Perl.
Click to expand...
Hi webignition,

You make some very good points that should not be overlooked. I would really appreciate some PHP example (which you described in your post).

Thanks.
Lamp
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
A Linking existing DB to the user's account Databases 2
U User's databases are not showing in hosting manager Databases 5
A new cpanel user's can't create mysql dbs via site software Databases 3
junglecat Upgrading mysql broke a user's script Databases 3
R phpmyadmin shows all user's databases Databases 13
Similar threads
Linking existing DB to the user's account
User's databases are not showing in hosting manager
new cpanel user's can't create mysql dbs via site software
Upgrading mysql broke a user's script
phpmyadmin shows all user's databases
Top Bottom