PHP:验证本地unix用户(无需直接访问/etc/shadow)

发布于 2024-09-10 22:36:50 字数 285 浏览 7 评论 0原文

给定用户名和密码,我需要检查本地系统上是否存在具有所述用户名和密码的用户。

我知道 posix_getpwnam 并使用 PAM 包,但这两种方法都要求 PHP 脚本能够访问 /etc/shadow 。我不想弄乱系统文件或守护程序用户的权限。

我想这可以通过扰乱标准系统命令(例如 sudo )或编写我自己的小型 setuid C 程序来完成。我还可以尝试使用所述用户名/密码通过 FTP 或 SSH 连接到本地主机来验证它。有没有更简单的方法?

Given a username and password, I need to check if there's a user on the local system with said username and password.

I'm aware of posix_getpwnam and using the PAM package, but both of these methods require that the PHP script have access to /etc/shadow. I'd rather not mess with permissions of system files or daemon users.

I imagine that this could be done either by messing with standard system commands such as sudo, or by writing my own small setuid C program. I could also try to connect to localhost via FTP or SSH with said username/password to validate it. Is there a simpler way?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

千里故人稀 2024-09-17 22:36:50

如果您想要更本地化的方式,您可以自己推出。我会看看
更多关于PAMpam_authenticate

我的意思是,您应该能够创建一个使用 PAM 进行身份验证但不需要 root 的应用程序,例如 sudo。

但是,如果您想要一个更简单的解决方案,您可以调用:

Source login.sh

#!/bin/bash
su $1 < `echo $2` #Need echo for the newline

在 PHP 代码中作为 login.shexec 语句,第一个参数是用户名和第二个是密码。

If you wanted a more native way you can either roll your own. I would look
more into PAM: pam_authenticate.

I mean, you SHOULD be able to create an application that authenticates but doesn't require root using PAM, for example sudo.

But, if you wanted a simpler solution you could just call:

Source login.sh

#!/bin/bash
su $1 < `echo $2` #Need echo for the newline

In the PHP code as an exec statement to login.sh with the first parameter being username and the second being the password.

〗斷ホ乔殘χμё〖 2024-09-17 22:36:50
  1. 我相信 ftp/ssh 是一种巧妙的方法,假设系统始终运行它们。

  2. 出于权限考虑,另一种可能性是编写一些脚本,从 /etc/shadow 中提取这些用户,并将该脚本作为 cron 作业运行以定期更新它。该脚本创建一个仅具有特定于运行您的网络的用户(apache 等)的权限的文件,并且可以检查该文件,甚至可以检查 mysql 的条目(如果您真的想疯狂的话)。

第一个简单易行,第二个则需要更多工作。我想到的另一种方法是通过 php 执行系统命令,例如 useradd $user 并检查返回。但这需要 sudo。

  1. I believe ftp/ssh is a slick way of doing it assuming the system is always running these.

  2. Another possibility for permissions sake, is to write some script thatll pull those users from /etc/shadow and run this script as a cron job to regularly update it. This script creates a file with permissions only specific to user running your web (apache and what not) and can check with this file or even database the entries to mysql if you really wanted to get crazy.

The first is simple and easy to do, the second is a bit more work. Another way that just came to mind though is to through php execute a system command such as useradd $user and check return. This requires sudo though.

骄傲 2024-09-17 22:36:50

我还可以尝试使用所述用户名/密码通过 FTP 或 SSH 连接到本地主机来验证它。

这就是我最终所做的(使用 PHP ssh2 扩展)。本地命令也可以在用户的​​凭据下通过同一连接运行。

I could also try to connect to localhost via FTP or SSH with said username/password to validate it.

That's what I did in the end (using PHP ssh2 extension). Local commands are also ran via the same connection, under the user's credentials.

白云不回头 2024-09-17 22:36:50

如果您的脚本可以运行 su (切换用户)命令,则无需通过网络连接,但如果用户没有密码,此方法是危险的,因为这样会作为命令执行的密码。我之前使用它检查 /etc/group 文件,该文件检查用户的登录是否在所需的组中。

function unix_auth_local_user($username, $password)
{
    $ok = false;
    $username = escapeshellarg($username);
    $pipes_spec = [
        ["pipe", "r"],
        ['file', '/dev/null', 'a'],
        ['file', '/dev/null', 'a']
    ];
    $command = escapeshellarg("exit;");
    $process = proc_open('su '.$username.' -c '.$command, $pipes_spec, $pipes);
    if (is_resource($process)) {
        fwrite($pipes[0], $password);
        fclose($pipes[0]);
        $status = proc_close($process);
        $ok = $status === 0;
    }
    return $ok;
}

另外,请记住,这可能会触发用户的登录脚本和注销后脚本(但 ssh 登录也是如此)。

If your script can run su (switch user) command, there is no need to connect over network, but this method is dangerous if user does not have password, since then will be password executed as command. I use this with checking with /etc/group file before, which checks if user's login is in desired group.

function unix_auth_local_user($username, $password)
{
    $ok = false;
    $username = escapeshellarg($username);
    $pipes_spec = [
        ["pipe", "r"],
        ['file', '/dev/null', 'a'],
        ['file', '/dev/null', 'a']
    ];
    $command = escapeshellarg("exit;");
    $process = proc_open('su '.$username.' -c '.$command, $pipes_spec, $pipes);
    if (is_resource($process)) {
        fwrite($pipes[0], $password);
        fclose($pipes[0]);
        $status = proc_close($process);
        $ok = $status === 0;
    }
    return $ok;
}

Also, keep in mind this can trigger user's on logon scripts and after logout scripts (but so does ssh login).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文