PHP Password / Linux Admin Password Comparison

is that possible since the passwords in UNIX are hidden in a file that
cannot be accessed by anyone other than the system? I believe it's a
"Shadow" file, that's what it's called. I'm not possitive on that
though...

~aspirany

Your passwords in Linux are in /etc/shadow and are encrypted. In any
Linux distro that has been setup properly your web server/php process
will NOT have access to this file. Come to think of it I cannot tell
you how bad an idea I think this really is, even if you succeed I sure
hope you are running a system as localhost in a closet somewhere with
no Internet connection.

Now here is a better idea: create a MySQL database and track your user
privileges and passwords through it. You can use md5 or crypt PHP
functions to one-way encrypt your passwords and store them in MySQL.

Exposing Linux system passwords over the web is a bad, very bad idea.
If the world has access to the web page, or even a hacker gets through,
they could brute force your web application into discovering the root
password.

My 2 cents

Alex
http://prepared-statement.blogspot.com

Alright tia

First I have to say Alex's idea of using mysql to track usernames is a
better idea than mine and far safer than what I came up with. I urge
you to do what he suggested.

But if you think security is for wimps you could do the following

Use a script that calls the su command to try and change to an user,
then use whoami to see if the user name has changed to what you wanted.
If the username has changed then the password was correct.

This script will do it for you...

<?php

//Change these two
$username = "root";
$password = "yeahright";

//next line not necessary, just for the test
exec( "whoami" , $whoamiThen );

$desc = array(
0 => array("pipe","r"), //stdin for sending password to su command
1 => array("pipe","w"), //stdout, to collect the result of whoami
);

//execute su command and open stdin/stdout pipes
$pr = proc_open( "/bin/su $username -c \"whoami\"" , $desc , $pipes );

//su will be now waiting for a password,
fwrite( $pipes[0] , "$password\n" );
fclose( $pipes[0] );

//only if password is correct the whoami command is now run ( from the
commandline option '-c "whoami"' in 1st argument to proc_open )
$whoamiNow = fgets( $pipes[1] );
fclose( $pipes[1] );

//close process
$ret = proc_close($pr);

print "I was {$whoamiThen[0]}<br>I am now $whoamiNow\n<br>";
echo "Returned: $ret";

if( $whoamiNow == $username ) {
//password is good
} else {
//at least track i.p. address, time and especially limit to 3
incorrect attempts then block ip/username from more tries
}

?>

On my system the result was:

I was wwwrun
I am now root
Returned: 0

This script is very very risky, as it is now it allows anyone on the
net unlimited attempts to guess the root password.

If you use it then use get_magic_quotes and addslashes to prevent code
injection with the $username and make sure people are blocked after a
few incorrect attempts, delayed in between attempts and log everything.
It would be best if you block everyone not on a trusted i.p. address.

Tim

thaks for the input. i agree this is a security nightmare, but the
product engineer wants to do this. the product is a stand alone
product. the laptop is hooked up directly to the product and the
product has no internet access. however, if the laptiop was wirelessly
on a network while accessing the product, security might be an issue.

i think the goal of the product engineer is as follows:

1. only allow a person who has root access to access the product's
program.
2. if the root password is changed, the password for the program should
be changed, too - thus enabling the root password holder access w/o the
pain of setting the password twice.

i am using a xml file as a db, however, that wouldn't meet criteria #2
above, unless there was a way to automatically update the password in
the file when the root password was updated.

obviously, i wouldn't want this in plain text. ;-)

my thought is to get the encrypted value of the root password into php
(not the actual password, mind you) into php and then compare it to the
encrypted value of the user input.

1. i'd need to have access to the encrypted root password (link,
symlink, maybe).
2. i'd need to know the encryption method so i could duplicate the
process in php and compare the encrypted password values.

is this doable?

i will mull over tihu's code and see if it applies to this case. the
product shouldn't be connected to the net, but i don't know if the
accessing laptop will be connected to the internet while accessing the
product.