Verifying user's password in MySQL

lamp

Well-Known Member
Dec 22, 2003
111
0
166
Hello,

I wanted to know your opinion on the following.

I have written a web interface for my clients and would like them to log into it using their cpanel username & password.

Since the /etc/shadow is only readable by root and my perl authentication script is run as 'tomcat' or 'nobody', I decided to authenticate them using the MySQL 'user' table. This seems to be working fine and I cannot see any drawback.

What is your opinion on authenticating my users in such a way? Is there a better way of doing what I am trying to accomplish here?

Thanks.
Lamp
 

webignition

Well-Known Member
Jan 22, 2005
1,880
0
166
lamp said:
Hello,

I wanted to know your opinion on the following.

I have written a web interface for my clients and would like them to log into it using their cpanel username & password.

Since the /etc/shadow is only readable by root and my perl authentication script is run as 'tomcat' or 'nobody', I decided to authenticate them using the MySQL 'user' table. This seems to be working fine and I cannot see any drawback.

What is your opinion on authenticating my users in such a way? Is there a better way of doing what I am trying to accomplish here?

Thanks.
Lamp
Your main concern will be with the fact that the passwords stored in /etc/shadow and the MySQL 'user' table might not always be the same.

Within a cPanel environment, they should always be the same, assuming that all the correct files/database tables are modified/updated correctly when a user changes their password, however there is no definitive relationship between the relevant file and database table - in short, it's just by design that you see a relationship between /etc/shadow and the MySQL 'user' table. If the design changes, the relationship is no longer present and your script breaks.

The only reliable method would be to authenticate against /etc/shadow as this, cPanel or no cPanel, should always be the same (unless your OS screws up in which case you'll have plenty of things to worry about other than /etc/shadow containing invalid data).

Therefore all you need to ensure is that your authentication script runs as root so that you will be able to check the contents of /etc/shadow. This should be possible through a cunning use of the remote access features. I have a selection of scripts that execute as root called via remote access that I utilise for automated tasks, although in my case these are PHP scripts although the same principles may apply to Perl.

If you like I'll post a very simple PHP example of how to get scripts running as root as perhaps you can then figure out a similar method for Perl.
 

lamp

Well-Known Member
Dec 22, 2003
111
0
166
webignition said:
If you like I'll post a very simple PHP example of how to get scripts running as root as perhaps you can then figure out a similar method for Perl.
Hi webignition,

You make some very good points that should not be overlooked. I would really appreciate some PHP example (which you described in your post).

Thanks.
Lamp