Request for pty.spawn() help/example 
Author Message
 Request for pty.spawn() help/example

greets...

        I'm working on a script which can get called by cgi programs, which
feed in a username and password from an html for, and the script uses su
as a verification of the pair by attempting to su to that account.

        I am trying to do this by using the pty module, and calling spawn. The
only information I could find about this module however, was from the
online documention, which states:

spawn (argv[, master_read[, stdin_read]])
     Spawn a process, and connect its controlling terminal with the
current process's standard io. This is often used to baffle programs
which insist on reading from the controlling terminal.

( http://www.*-*-*.com/ )

        I need to capture a pty because su will otherwise attempt to write to
the terminal which launched my script, thus defeating its purpose.

        Could anyone either provide an example of how I can interact with su
(or any other process) so that I can feed it the password after it's
been spawned and read it's output, or perhaps provide any other
direction?

PS: I posted a similar request a few days ago, and the responces were
extremely helpful in futher refining my exact problem, but I'm still in
need of help!

thanks in advance.

--
Steve Castellotti
Systems Programmer
School of Arts and Sciences, University of Pennsylvania



Mon, 19 May 2003 03:00:00 GMT  
 Request for pty.spawn() help/example


Quote:
> greets...

> I'm working on a script which can get called by cgi programs, which
> feed in a username and password from an html for, and the script uses su
> as a verification of the pair by attempting to su to that account.

This seems like it makes the authentication task simple, but does rather
more work than it need to.

Quote:
> I am trying to do this by using the pty module, and calling spawn. The
> only information I could find about this module however, was from the
> online documention, which states:

> spawn (argv[, master_read[, stdin_read]])
>      Spawn a process, and connect its controlling terminal with the
> current process's standard io. This is often used to baffle programs
> which insist on reading from the controlling terminal.

> (http://www.python.org/doc/current/lib/module-pty.html)

> I need to capture a pty because su will otherwise attempt to write to
> the terminal which launched my script, thus defeating its purpose.

True, but isn't there some way you could capture the encrypted password for
the user, and then encrypt your user's password in the same way (using the
salt from the encrypted password) then check for a match?

Quote:
> Could anyone either provide an example of how I can interact with su
> (or any other process) so that I can feed it the password after it's
> been spawned and read it's output, or perhaps provide any other
> direction?

> PS: I posted a similar request a few days ago, and the responces were
> extremely helpful in futher refining my exact problem, but I'm still in
> need of help!

> thanks in advance.

> --
> Steve Castellotti
> Systems Programmer
> School of Arts and Sciences, University of Pennsylvania

regards
 Steve


Mon, 19 May 2003 03:00:00 GMT  
 Request for pty.spawn() help/example

Quote:

> > I need to capture a pty because su will otherwise attempt to write to
> > the terminal which launched my script, thus defeating its purpose.

> True, but isn't there some way you could capture the encrypted password for
> the user, and then encrypt your user's password in the same way (using the
> salt from the encrypted password) then check for a match?

        I could do that, but in order to be certain that the new hash matches
their password, my script would need access permissions to /etc/shadow.
For that I'd need to set the script suid root, is dangerous for a cgi
script.

--
Steve Castellotti
Systems Programmer
School of Arts and Sciences, University of Pennsylvania



Mon, 19 May 2003 03:00:00 GMT  
 Request for pty.spawn() help/example


Quote:

> > > I need to capture a pty because su will otherwise attempt to write to
> > > the terminal which launched my script, thus defeating its purpose.

> > True, but isn't there some way you could capture the encrypted password
for
> > the user, and then encrypt your user's password in the same way (using
the
> > salt from the encrypted password) then check for a match?

> I could do that, but in order to be certain that the new hash matches
> their password, my script would need access permissions to /etc/shadow.
> For that I'd need to set the script suid root, is dangerous for a cgi
> script.

> --

That's correct.  Sorry I overlooked it.  Are you using pluggable
authentication modules (PAM)?  This might give you a compromise which
doesn't involve running shell scripts or executables.

regards
 Steve



Tue, 20 May 2003 03:00:00 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. return value for PTY.spawn

2. system command expansion after PTY.spawn

3. pty.spawn() and friends

4. REPOST: pty.spawn() and friends

5. pty.spawn() problems

6. pty.py: any example code out there?

7. Help Request: ISE EiffelCOM string_manipulator example

8. Example of inetd spawned tcl-dp server?

9. Pseudo-TTY (pty module) help!

10. Help: expect pty permissions

11. Help: expect pty permission problem

12. expect_after executes for spawn id 1 even if the corresponding expect executes for spawn id 2

 

 
Powered by phpBB® Forum Software