From owner-freebsd-security Sun Aug 22 17:18:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0D01314D54 for ; Sun, 22 Aug 1999 17:18:15 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id RAA33539; Sun, 22 Aug 1999 17:17:59 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908230017.RAA33539@gndrsh.dnsmgr.net> Subject: Re: getting passwored data via a perl cgi In-Reply-To: <19990822223619.B11240@keltia.freenix.fr> from Ollivier Robert at "Aug 22, 1999 10:36:19 pm" To: roberto@keltia.freenix.fr (Ollivier Robert) Date: Sun, 22 Aug 1999 17:17:58 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > According to Colin Eric Johnson: > > Is there a way to allow other users access to complete password database? > > I understand, basically, why this is restricted but I'm not sure how else > > to solve this given FreeBSDs restrictions. > > Either you make it setuid root or you wipe up a daemon that runs as root and wip? > make your script discuss with the daemon. The daemon could cache entries for > example (although pwd lookups should be fast thanks to the DB files). You can find a program used by cyrus for just what you are trying to do in ports/mail/cyrus, it's called pwcheck. There are probably some others around, this is just one that I ran accross recently. IMHO making your cgi script suid root would be asking for a security breach some day, probably sooner than latter. Cyrus is a a large daemon, but it took this route for dealing with this problem for good reasons. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message