Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Accessing /etc/shadow from .rhtml file

1 view
Skip to first unread message

Samuel Fine

unread,
Jun 26, 2006, 7:09:14 PM6/26/06
to
(Disclaimer: First post, Ruby n00b, be gentle pls.)

Hello everyone. I'm in the process of writing a web app in Ruby, which
will be using /etc/shadow to handle user accounts and authentication.
I'm running into a bit of a problem though, as /etc/shadow's
permissions don't allow web scripts to access it. I was considering
using require to include an external .rb script written to access
shadow (as an external .rb script won't be handled by Apache, and won't
suffer from the permissions hindrance. But, I worry that using require
would just include the script into the file (sort of like PHP's
include()) and would nullify the advantage of using an external file.

So, to break this down into two simple questions:

1) What is the best (and simplest) way to access /etc/shadow using
eRuby?

2) Is require the only way to call an external script from within a
.rb/.rhtml file, and will doing so simply include the contents of the
called script in the new file?

Thanks!

Senthilnayagam

unread,
Jun 26, 2006, 8:20:58 PM6/26/06
to
Hi Samuel,

you can call your shell scripts and commands to do it


maybe "sudo" is all what you need,

output = %x{shell command}

you can replace "shell command" with your shell command or script, and
output of the command will be returned to "output", which you can
interpret with string functions

if you manage multiple servers, you can use Capistrano to connect to
various servers using SSH an execute your commands there.


If you need detailed info or examples, mail me


regards
A.Senthil Nayagam
http://senthilnayagam.com

Samuel Fine

unread,
Jun 27, 2006, 2:12:59 PM6/27/06
to
Senthilnayagam wrote:
> Hi Samuel,
>
> you can call your shell scripts and commands to do it
>
>
> maybe "sudo" is all what you need,
>
>
>
> output = %x{shell command}
>
> you can replace "shell command" with your shell command or script, and
> output of the command will be returned to "output", which you can
> interpret with string functions

It seems that sudo wouldn't work, as I'm running Ruby code, not a
specific command from the command line. The code I have right now just
uses File.open to access shadow, and it works when run as root, but not
otherwise.

As far as we (my co-developer and I) can tell, the problem lies in the
fact that www-data is the actual user attempting to access the shadow
file. Would suexec, perhaps, take care of this? If not, do you have any
other ideas?

Thank you for your help so far. While %x didn't solve the specific
problem at hand, it answered another question that I had been looking
to solve!

Thanks again,
Samuel

Jon Evans

unread,
Jun 27, 2006, 3:37:04 PM6/27/06
to

Samuel Fine wrote:

> As far as we (my co-developer and I) can tell, the problem lies in the
> fact that www-data is the actual user attempting to access the shadow
> file. Would suexec, perhaps, take care of this? If not, do you have any
> other ideas?

The whole point of having /etc/shadow as well as /etc/passwd is that
the encrypted passwords are in /etc/shadow, which is only readable by
root. The 'old' scheme put the encrypted passwords in /etc/passwd,
which could be downloaded and cracked offline using something like john
the ripper. You are opening a security hole up if you try to make it
readable by other users.

Can you do what you're trying to do using /etc/passwd instead, which is
already world-readable?

Jon

Samuel Fine

unread,
Jun 27, 2006, 11:07:59 PM6/27/06
to
Jon Evans wrote:

> The whole point of having /etc/shadow as well as /etc/passwd is that
> the encrypted passwords are in /etc/shadow, which is only readable by
> root. The 'old' scheme put the encrypted passwords in /etc/passwd,
> which could be downloaded and cracked offline using something like john
> the ripper. You are opening a security hole up if you try to make it
> readable by other users.
>
> Can you do what you're trying to do using /etc/passwd instead, which is
> already world-readable?
>
> Jon

The only time we'll need to access /etc/shadow is during login, and we
will need access to the hashed password to compare it to the user
input. So, unfortunately, passwd won't suffice. Is there any relatively
secure way to access /etc/shadow date from one specific,
tightly-locked-down (as in, only username and password inputs, max 20
characters, all input throughly sterilized for any unruly behavior)
.rhtml file? The basic goal is to compare a given username and password
to an existing record in shadow, so any other suggestions would be more
than welcome.

Thanks for the help.

S Wayne

unread,
Jun 28, 2006, 12:24:59 AM6/28/06
to
/etc/shadow is absolutely NOT supposed to be used in this way. It is
locked down the way it is because of numerous vulnerabilities/exploits
that occured with the hashed passwd in /etc/passwd. If you want to do
authentication, use PAM or manage logging in in a different way.

DO all of your people have a Unix shell login? Should they? I'd
recommend either using LDAP if the company has network authentication,
or creating a user login table and manage it all through Ruby,
independent of /etc/shadow.

Honestly, /etc/shadow should be considered strictly off limits by any
and all application layer software. If you are going to sell your
software, or if you ever get a security audit, you will get beaten
black and blue for using /etc/shadow directly.

Jon Evans

unread,
Jun 28, 2006, 9:23:46 AM6/28/06
to
Hi,

Samuel Fine wrote:

> The only time we'll need to access /etc/shadow is during login, and we
> will need access to the hashed password to compare it to the user
> input. So, unfortunately, passwd won't suffice. Is there any relatively
> secure way to access /etc/shadow date from one specific,
> tightly-locked-down (as in, only username and password inputs, max 20
> characters, all input throughly sterilized for any unruly behavior)
> .rhtml file? The basic goal is to compare a given username and password
> to an existing record in shadow, so any other suggestions would be more
> than welcome.

A google search for "ruby PAM" found this:
http://ruby-pam.sourceforge.net/ruby-pam.html

That's the kind of thing I'd be looking into if I were you.
/etc/shadow is off-limits for very good reasons. :)

Jon

mathew

unread,
Jun 28, 2006, 1:27:21 PM6/28/06
to
S Wayne wrote:
> /etc/shadow is absolutely NOT supposed to be used in this way. It is
> locked down the way it is because of numerous vulnerabilities/exploits
> that occured with the hashed passwd in /etc/passwd. If you want to do
> authentication, use PAM or manage logging in in a different way.

What he said.

There's a Ruby interface to PAM:
<URL:http://ruby-pam.sourceforge.net/ruby-pam.html>


mathew
--
<URL:http://www.pobox.com/~meta/>
My parents went to the lost kingdom of Hyrule
and all I got was this lousy triforce.

Samuel Fine

unread,
Jun 30, 2006, 10:56:15 AM6/30/06
to
Fair enough. I probably should have mentioned that I'm relatively new
to the inner workings of Apache and Linux as well, so I appreciate
being set straight. ^_^

Ruby/PAM looks like it'll do the job, but I am mildly confused as to
exactly how to use it. I can't seem to find documentation anywhere
(I've been coding in PHP for the past couple years, so I'm used to
rather through documentation.) Could anyone throw some basic code
samples my way, or at least link to more information on how to use
Ruby/PAM? Again, all I need to do is query /etc/shadow with a username
and password to see if there is a matching record.

Thanks again!

0 new messages