I have written a cgi-bin application in C that runs in a browser and allows the user to open an interactive shell and view & edit files on a Linux machine. It runs as the standard apache "www-data" user. I just added a login screen to it where the user types in their name and password (in a form) but I cannot authenticate the user using getspnam since this function only works when running as root.
What options do I have to check the login credentials of a user when not running as root?
PS: In my interactive shell I can type "su root" and then type in my password and it does elevate to root fine so it obviously can be done interactively.
I think you want to take a look at Pluggable authentication modules. AFAIK, PAM handles all the messy stuff for you and you just need to do a few function calls to authenticate the user on whatever the backend to authenticate users on the Linux host is (be it shadow passwords, nis, ldap, whatever)
Here's a short guide about integrating your C code with them.
With regard to your PS: Well, when you do a su root you're switching to the root user. So yes, of course, root can read the shadow file, you all ready said that.
With regard to your problem: Can't you have your apache processes temporarily elevate to root (by calling setuid or similar) to perform the authentication?
Good luck!
As suggested, I think PAM is the modern way to do this. But if you want to go old school, you need to create a setuid-root program (not a script) to do your authentication.
There are lots of gotchas with setuid-root programs, which is why PAM is likely better.
Here's a link to some good papers on safely writing setuid-root programs.
Related
A server applicaton I wrote is running as root at the moment and authenticates local system users with getspnam() and crypt() which requires root privilege to access the shadow file. Now I want that application not to run as root in a production system. What are the alternatives without ever requiring root for authenticating local users? The application is running under debian at the moment but is written portable in general.
None of those files you read are supposed to be read by a userspace application. They are system files. The administrator is free to leave the files in place but inhibit their contents - a perfectly valid scenario - and there may well be user information that goes beyond what's in those files. Say, if the machine is joined to an Active Directory domain, or otherwise uses LDAP for authentication: the user list will come from the directory, with passwd having just the local system accounts and nothing else. System services need those files in /etc, and that's that - specifically, the PAM module that provides local accounts :)
Thus: use Pluggable Authentication Modules (PAM). You'll be using the public interface to PAM. Since PAM is cross-platform, it will work on other unices, say Solaris.
I need to create a directory in /var/log using a C program which does NOT run with superuser rights.
This linked question didn't help me!
I understand that the file permissions of /var/log does not allow us to write in it nor do I want to change it.
I use mkdir() to create the directory which fails for obvious reasons.
So, is it possible for a normal (with no root rights) C program to create a directory in /var/log?
My goal: To create a directory using a C program in /var/log without changing the parent's file permission. Should I run my program as root? But I would prefer not to.
Kindly help.
TIA
You cannot programmatically overturn the filesystem's access control.
What you could try to do instead is to use an existing logging mechanism that is provided by the system. For example, journald that comes with systemd allows for per-user logging.
If your program runs as a user, it should only use the user's home directory to store files, wether it being configuration or logging. Think about it this way: What happens if several users want to use your program at the same time?
If your program really is a system daemon, have a look at other software that runs under their own user. They could either have their own logging directory be prepared by the init script that calles them (running the daemon itself as a different user), or they purge their priviledges during startup. An example is httpd, which needs root priviledges to listen on port 80.
I have a server component that reads its configuration from a file. The configuration file is also read and written by an administration component. The components are separate programs, and they will be running under separate accounts. I want to change the ACL on the configuration file to:
application: read
administration: read and write
Its important to drop write from the application because the application opens a listening socket. That is, its high risk and I want to contain it as much as possible.
After some searching, it looks like ioctl is used to do it in C. ioctl_list offers a list of control codes but its not apparent to me how to add two users with different permissions on the configuration file. The man page online at die.net does not discuss the permissions in-depth or offer sample code. For example the word "perm" (root of "permission") only shows up once in the discussion.
On Windows, reducing permission to honor least privilege is drawn out but its pretty straight forward (Richter gives good examples in his Advanced Windows programming series).
How does one change permissions on a linux file using C APIs? What control codes are to be used?
Thanks in advance.
This is not done with ioctl, but rather with dedicated system calls: chmod, chown, and chgrp for the basic user/group/other set of file permissions, and acl_* for full-fledged ACLs. You probably also want to know about the setuid, setgid, and setgroups system calls, which are how you drop privileges in a running application.
You can accomplish your goals using only the basic user/group/other permissions. Configure your system as follows:
The server application has a dedicated user ID and group; let's say they are both named nlserver ("nl" for "noloader").
The administrative component also has a dedicated user ID and group, let's say nladmin.
The configuration file is set to be mode 0640 (aka -rw-r-----) and owned by user nladmin, group nlserver. (The code responsible for doing this should be in the administrative component, not the server itself.)
When the server starts up, after doing everything it needs to do as root (e.g. bind low-numbered ports), it uses setgroups, setgid, and setuid (IN THAT ORDER!) to change to user nlserver, group nlserver, and clear the supplementary groups list. Only after doing so does it open the configuration file.
First of all, the goals are not security nor user-friendliness. (Meaning no visual crap and no password encoding/ mega security stuff)
Server-side I want the simplest thing possible. Just a way to authenticate some ~5 users but knowing who they are when they do. Once they are authenticated I'll serve them a file (I haven't decided yet what, .txt or xml or something) and they won't be able to do anything else.
So from the program standpoint, I need to connect to my server, authenticate somehow, get a file, and disconnect. The user only interacts with the program with a simple user/pass combo. The rest is automatic. I was looking to libcurl for the connection+authentication+download, but I would like to hear suggestions because from this list: libcurl competitors, there seems to be much offer available.
I think of it as the same as when I do sudo aptitude install, but the sudo part would go on the server if that makes any sense.
So my question is, how can I make a page with an authentication (note that it doesn't have to have any visual output) which then lets the program download a file. And how do I connect to it?
Simplest thing possible would be to keep the path to the files secret and authenticating people by giving them the link.
You might find this page on HTTP Basic authentication useful. You can either roll your own HTTP server or configure an existing httpd. Then, you can write a simple shell script that calls out to curl to authenticate and download the page.
If your users can have accounts on the server, a way would be to use the scp command. They will be prompted for their password. You can wrap it in a shell script or call it from a C program using system or equivalent.
Edit: Then you may look into protecting a directory by a .htaccess and a .htpsswd. I don't know it is accessible through libcurl or any other C library though.
I need to write a C program that will allow me to read/write files that are owned by root. However, I can only run the code under another user. I have the root password, but there are no "sudo" or "su" commands on the system, so I have no way of accessing the root account (there are practically no shell commands whatsoever, actually). I don't know a whole lot about UNIX permissions, so I don't know whether or not it is actually possible to do this without exploiting the system in some way or running a program owned by root itself (with +s or whatever). Any advice?
Thanks!
P.S. No, this isn't anything malicious, this is on an iPhone.
Under the UNIX permissions system, you need to run a file owned by root itself that's marked setuid-root (+s, as you said) or communicate with some process that is already running as root.
If there is no such file, you are out of luck.
You can do this with setting suid bit to application, but if you want from this c application run a some shell this was be runned on local user if you do it normally this is security system.
However you can read/write/execute files owned by root, but if your user is not in group of file your target file must have setted read/write/execute on last 3 bits or when your user is in file owner group you must check/apply this to 3 bits in middle position. (3 first bits setting permission to owner but this may not by a usable information for you).
If you dont have any access to root account. Then if group and other user permissions dont access functions as you must have, you can't do with this anything except trying get some prilveaged user for access this file. In other cases you can do some fixes in file access permissions but not from this system, you must get hard drive from this device and attach to other to change it or load on this device some live system to change this. However you can do this on privleaged system not on this.
More information about SUID bits you can find at:
http://www.codecoffee.com/tipsforlinux/articles/028.html
http://www.everyjoe.com/newlinuxuser/explain-what-is-setuid-and-setgid/
The iPhone SDK doesn't allow this. Your application is sandboxed and it is not allowed to go outside of that sandbox except in very specific ways provided by Apple. The only way to do this on an iPhone is to jailbreak it.