i have an application that should allow acces to linux administrators
only.
iow, i want to code a php script that will be able to compare the
entered password with the linux adminstrator's password on the fedora
core 4 linux box.
can this be done? if so, how?
tia...
4  2316 
is that possible since the passwords in UNIX are hidden in a file that
cannot be accessed by anyone other than the system? I believe it's a
"Shadow" file, that's what it's called. I'm not possitive on that
though...
~aspirany
Your passwords in Linux are in /etc/shadow and are encrypted. In any
Linux distro that has been setup properly your web server/php process
will NOT have access to this file. Come to think of it I cannot tell
you how bad an idea I think this really is, even if you succeed I sure
hope you are running a system as localhost in a closet somewhere with
no Internet connection.
Now here is a better idea: create a MySQL database and track your user
privileges and passwords through it. You can use md5 or crypt PHP
functions to one-way encrypt your passwords and store them in MySQL.
Exposing Linux system passwords over the web is a bad, very bad idea.
If the world has access to the web page, or even a hacker gets through,
they could brute force your web application into discovering the root
password.
My 2 cents
Alex http://prepared-statement.blogspot.com
Alright tia
First I have to say Alex's idea of using mysql to track usernames is a
better idea than mine and far safer than what I came up with. I urge
you to do what he suggested.
But if you think security is for wimps you could do the following
Use a script that calls the su command to try and change to an user,
then use whoami to see if the user name has changed to what you wanted.
If the username has changed then the password was correct.
This script will do it for you...
<?php
//Change these two
$username = "root";
$password = "yeahright" ;
//next line not necessary, just for the test
exec( "whoami" , $whoamiThen );
$desc = array(
0 => array("pipe","r "), //stdin for sending password to su command
1 => array("pipe","w "), //stdout, to collect the result of whoami
);
//execute su command and open stdin/stdout pipes
$pr = proc_open( "/bin/su $username -c \"whoami\"" , $desc , $pipes );
//su will be now waiting for a password,
fwrite( $pipes[0] , "$password\ n" );
fclose( $pipes[0] );
//only if password is correct the whoami command is now run ( from the
commandline option '-c "whoami"' in 1st argument to proc_open )
$whoamiNow = fgets( $pipes[1] );
fclose( $pipes[1] );
//close process
$ret = proc_close($pr) ;
print "I was {$whoamiThen[0]}<br>I am now $whoamiNow\n<br >";
echo "Returned: $ret";
if( $whoamiNow == $username ) {
//password is good
} else {
//at least track i.p. address, time and especially limit to 3
incorrect attempts then block ip/username from more tries
}
?>
On my system the result was:
I was wwwrun
I am now root
Returned: 0
This script is very very risky, as it is now it allows anyone on the
net unlimited attempts to guess the root password.
If you use it then use get_magic_quote s and addslashes to prevent code
injection with the $username and make sure people are blocked after a
few incorrect attempts, delayed in between attempts and log everything.
It would be best if you block everyone not on a trusted i.p. address.
Tim
thaks for the input. i agree this is a security nightmare, but the
product engineer wants to do this. the product is a stand alone
product. the laptop is hooked up directly to the product and the
product has no internet access. however, if the laptiop was wirelessly
on a network while accessing the product, security might be an issue.
i think the goal of the product engineer is as follows:
1. only allow a person who has root access to access the product's
program.
2. if the root password is changed, the password for the program should
be changed, too - thus enabling the root password holder access w/o the
pain of setting the password twice.
i am using a xml file as a db, however, that wouldn't meet criteria #2
above, unless there was a way to automatically update the password in
the file when the root password was updated.
obviously, i wouldn't want this in plain text. ;-)
my thought is to get the encrypted value of the root password into php
(not the actual password, mind you) into php and then compare it to the
encrypted value of the user input.
1. i'd need to have access to the encrypted root password (link,
symlink, maybe).
2. i'd need to know the encryption method so i could duplicate the
process in php and compare the encrypted password values.
is this doable?
i will mull over tihu's code and see if it applies to this case. the
product shouldn't be connected to the net, but i don't know if the
accessing laptop will be connected to the internet while accessing the
product.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: D E |
last post by:
When using my web application manager
(http://localhost:8080/admin)
I forgot my password. Is there an XML file i can look at to remember/obtain
(possibly even set).
Thanks
|
by: Max |
last post by:
Hello all,
I am trying to protect a page within my site with a JS password
scheme.
Now I know JS can be quite easily "circumvented", but I came by a code
below.
My question is:
1. Is there a way to find a password for this script? How easily?
2. Is there a stronger scheme available in JS?
|
by: Mike Wiseley |
last post by:
I created a desktop shortcut with "C:\Program Files\Microsoft
Office\MSAccess.exe" "C:\My Documents\CopyAToB.mdb" /pwd "password:
The trouble is that when running this shortcut, it prompts first for a
Logon, asking for user name and password -- then it prompts for the database
password. (Two password prompts).
I am using very simple Access security -- no special user groups, etc...just
a simple password to open the MDB file. To solve,...
|
by: Whitey |
last post by:
I have a password secured database. After the password is entered the
user has a form that I created that allows them to search the database
and retrieve information.
The problem is that the connection string requires a the database
password even though the user entered it to open the database. How can
I get the password from the system to build the connection string?
Thanks for any help,
Whitey
|
by: chsadaki |
last post by:
Hello
I have a problem in retrieving a row form a table that I created in
mysql db.
I insert these values in the table
'Bell',password('123').
But the problem is in my php application I cant retrieve this row
because the password that I pass dosn't match the password value in the
table.
this is the code that I wrote in my php application
| | |
by: =?Utf-8?B?UHJveQ==?= |
last post by:
I have a slightly older computer running windows 2000, with some files on
there that I would really like to see, but I am logged on as a guest and
can't. First, I tried logging out, but it just logs me right back in again.
Then I try to go to the users control panel, but I am locked out. It says
that I am logged in as "Admin/guest", which is not a part of the
administrators group. I give my user name and password, which I am absolutely...
|
by: kmd |
last post by:
Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)
In config.php i have sth like this:
$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test')); // Admin password (change it)
And in other file (using to log in):
if (($login == $_POST) && ($password == sha1(md5($_POST)))) {...
|
by: aradhanathawait |
last post by:
Hi all
Please tell me the default Login Id and password for Tomcat5.0 Admin. I have installed tomcat5 on Red hat linux 4, it didn't ask for admin password during installlation.
Thanx and Regards,
Aradhana
|
by: dlite922 |
last post by:
Hey guys,
I have a PC that is loaded with a program that restores the Windows XP image (Linux based, don't know the name) which restores the the OS from an image with each reboot, similar to those seen in college labs etc.
So all attempts to use BART or my other bootable-CD password reset utilities are useless. I have only access to a limited account (can't install programs) but I have command prompt and storage to folders owned by this...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
