Question

Given a username and password, I need to check if there s a user on the local system with said username and password.

I m aware of posix_getpwnam and using the PAM package, but both of these methods require that the PHP script have access to /etc/shadow. I d rather not mess with permissions of system files or daemon users.

I imagine that this could be done either by messing with standard system commands such as sudo, or by writing my own small setuid C program. I could also try to connect to localhost via FTP or SSH with said username/password to validate it. Is there a simpler way?

Answer 1

I could also try to connect to localhost via FTP or SSH with said username/password to validate it.

That s what I did in the end (using PHP ssh2 extension). Local commands are also ran via the same connection, under the user s credentials.

Answer 2

If you wanted a more native way you can either roll your own. I would look more into PAM: pam_authenticate.

I mean, you SHOULD be able to create an application that authenticates but doesn t require root using PAM, for example sudo.

But, if you wanted a simpler solution you could just call:

Source login.sh

#!/bin/bash
su $1 < `echo $2` #Need echo for the newline

In the PHP code as an exec statement to login.sh with the first parameter being username and the second being the password.

Answer 3

I believe ftp/ssh is a slick way of doing it assuming the system is always running these.
Another possibility for permissions sake, is to write some script thatll pull those users from /etc/shadow and run this script as a cron job to regularly update it. This script creates a file with permissions only specific to user running your web (apache and what not) and can check with this file or even database the entries to mysql if you really wanted to get crazy.

The first is simple and easy to do, the second is a bit more work. Another way that just came to mind though is to through php execute a system command such as useradd $user and check return. This requires sudo though.

Answer 4

If your script can run su (switch user) command, there is no need to connect over network, but this method is dangerous if user does not have password, since then will be password executed as command. I use this with checking with /etc/group file before, which checks if user s login is in desired group.

function unix_auth_local_user($username, $password)
{
    $ok = false;
    $username = escapeshellarg($username);
    $pipes_spec = [
        ["pipe", "r"],
        [ file ,  /dev/null ,  a ],
        [ file ,  /dev/null ,  a ]
    ];
    $command = escapeshellarg("exit;");
    $process = proc_open( su  .$username.  -c  .$command, $pipes_spec, $pipes);
    if (is_resource($process)) {
        fwrite($pipes[0], $password);
        fclose($pipes[0]);
        $status = proc_close($process);
        $ok = $status === 0;
    }
    return $ok;
}

Also, keep in mind this can trigger user s on logon scripts and after logout scripts (but so does ssh login).

友情链接