FPHttpServer and linux auth

[GreyCrazyWolf]

Hello all!
I am creating an HTTP server application using FPHttpServer and I have a question, how can I perform authorization by an existing Linux user?
I can verify the existence of a user by login as follows

Code: Pascal  [Select][+][-]

1. function TMySvr.CheckLinuxUser(AUserName, APassword: String): Boolean;
2. var
3.   Pwd: PPasswd;
4. begin
5.   Result := False;
6.  
7.   Pwd := fpgetpwnam(PChar(AUserName));
8.  
9.   if Pwd <> nil then
10.   begin
11.      // if Pwd not nil - user exists
12.      // Now, need to check the password is correct  :-\
13.   end;
14. end;      

[Leledumbo]

There's no really an easy way as there's no direct single API for that.
The non-programmatic way is more or less like this:

Code: Bash  [Select][+][-]

1. $ sudo grep $USER /etc/shadow

This will spit out current user's shadow entry (note the sudo, this file is protected from non-root access by default), it should be in the form of:

Code: [Select]

<username>:$<hash method as an integer>$<salt>$<hashed password>:<ignore>Now ask OpenSSL for help:

Code: Bash  [Select][+][-]

1. $ openssl passwd -<hash method as an integer> -salt <salt>

You will be prompted for password, input the user's password. The result should be the same as <hashed password> above.

Bypassing the sudo without compromising security is something I haven't found a way out for. OpenSSL hashing method might be convertible with something from fcl-hash, but I haven't tried finding yet.

[PierceNg]

Hello all!
I am creating an HTTP server application using FPHttpServer and I have a question, how can I perform authorization by an existing Linux user?

PAM - Pluggable Authentication Modules

See https://linux.die.net/man/8/pam_unix:

This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.

Then see Apache mod_pam and Nginx mod_pam:
- https://github.com/adelton/mod_authnz_pam
- https://github.com/sto/ngx_http_auth_pam_module
- https://serverfault.com/questions/372719/how-to-use-nginx-pam-module

Also, there's this forum thread:
- https://forum.lazarus.freepascal.org/index.php?topic=58386.0

[GreyCrazyWolf]

There's no really an easy way as there's no direct single API for that.

Thank you very much.
So far I have rewritten the function in this way

Code: Pascal  [Select][+][-]

1. function TMySvr.CheckLinuxUser(AUserName, APassword: String): Boolean;
2. var
3.   Pwd          : PPasswd;
4.   outString    : String;
5.   outArrayF    : TStringArray;
6.   outArrayS    : TStringArray;
7.   outArrayT    : TStringArray;
8. begin
9.   Result := False;
10.  
11.   // Retrieve user information from the Linux user database
12.   Pwd := fpgetpwnam(PChar(AUserName));
13.   if Pwd <> nil then
14.      begin
15.        if RunCommand(Format('sudo grep %s /etc/shadow', [AUserName]), outString) then
16.          begin
17.               outArrayF := outString.Split(':');
18.               outArrayS := outArrayF[1].Split('$');
19.               if RunCommand(Format('openssl passwd -%s -salt %s %s', [outArrayS[1], outArrayS[2], APassword]), outString) then
20.                  begin
21.                       outArrayT := outString.Replace(#10, '').Split('$');
22.                       Result :=  outArrayS[3] = outArrayT[3];
23.                  end;
24.          end;
25.      end;
26. end;          

It works fine on the test vbox
Part can be removed after debugging

PAM - Pluggable Authentication Modules

Thank you very much.
I'll try to use

[colo]

Be aware that this will be catastrophically exploitable if/when someone feeds carefully crafted data for AUserName and/or APassword into your program.

If I were you, I would just not use the system account database via PAM for storing and retrieving credential data, but use another (custom) data source for that.