Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Is this script safe?

by mt2k (Hermit)
on May 25, 2001 at 04:11 UTC ( #83179=perlquestion: print w/replies, xml ) Need Help??

mt2k has asked for the wisdom of the Perl Monks concerning the following question:

I want to allow anyone to log into my account on a server. To accomplish this, I would have an account with a simple password. Then, in the .bash_profile file, I'd have this line:

perl "login.pl"

[download]

The login.pl file would hold the following code:

#!/usr/bin/perl
$SIG{TSTP} = 'IGNORE';

system "stty -echo";
system "clear";

print "Enter Password: ";
$input = <STDIN>;
chomp $input;

open FILE, "<.admin";
@passwd = <FILE>;
chomp @passwd;
close FILE;

($nil, $passwd) = split(":", $passwd[0]);
$input = crypt($input, substr($passwd, 0, 2));

if ($input ne $passwd) {
system "clear";
system "stty echo";
print "Enter URL: ";
$url = <STDIN>;
chomp $url;
system "lynx $url";
exec "login.pl";

} else {

for $i (1 .. $#passwd) {
system "clear";
print "Enter Password: ";
$input = <STDIN>;
chomp $input;
($nil, $passwd) = split(":", $passwd[$i]);
$input = crypt($input, substr($passwd, 0, 2));
if ($input ne $passwd) { while (1) { system "clear"; print "Enter Pass
+word: "; $
a = <STDIN>; } }
}

system "stty echo";
system "clear";
print "Passwords Correct\n\n";
exit;
}

[download]

The .admin file looks something like this:

user1:password1
user2:password2
user3:password3
user4:password4
user5:password5

[download]

To sum it up, if the user does not enter the first correct password, it allows the user to only use lynx. The reason for the encrypted passwords is because anyone can look at the source of the script using lynx... Just pressing "g -> /home/user/login.pl" allows them to do so. I added the while loop in there so that if after the first password is entered correctly, the user has no idea whether or not the next 4 passwords are right! (Of course, this sucks for me if I enter one wrong!) The question is, anyone can also view the .admin file... Is 5 passwords enough (they are all VERY different in style and length). All I want to know is, do I risk any danger with this method of protection if I change the 5 passwords every week?

Replies are listed 'Best First'.
(tye)Re: Is this script safe?
by tye (Sage) on May 25, 2001 at 04:30 UTC

    Well, if you changed the .bash_rc file to contain "exec perl login.pl" so a quick CTRL-C didn't just give you a shell prompt (and several other changes), then you've narrowed down the easy ways to get around this to:

    • "!" in lynx gives you a shell!!
    • lynx can save files so they can overwrite login.pl or .admin!!
    • ...OK, I'm bored now...

            - tye (but my friends call me "Tye")
[reply]
      NOBODY COPY THAT SCRIPT PLEASE! VERY, VERY BAD SCRIPT. THANKS TO TYE, I SEE THAT THERE ARE SEVERAL WAYS TO FIGHT THAT SCRIPT, MAINLY A "!" in lynx and then a "rm -rf login.pl" in the shell that opens.

      THANKS TYE!

[reply]
        Read the documentation for lynx, specifically the -restrictions part which allows you to disallow things such as executing a shell (lynx -restrictions=shell). There's also no reason why the person executing login.pl would need permission to delete it, so an rm -rf login.pl shouldn't be a concern.
[reply]
Re: Is this script safe?
by scottstef (Curate) on May 25, 2001 at 04:22 UTC
    Not even the considering code this- idea is terrifies me. Allowing ANYONE one to log into your account is dangerous. What if this person logs in and then copies /etc/password & /etc/shadow? You mention that you will change the passwords weekly. Cracking a password can be done in less than a day. You have just given someone an opportunity to brute force root. After I get root, I can spam and get your server blackholed. I can start removing any files I deem unecessary. I can add root kits at will. Being a sysadmin and securing a server is tough enough, why make it any harder on yours?
    Moral of the story- don't allow anyone to log in as you.
[reply]
Re: Is this script safe?
by Anonymous Monk on May 25, 2001 at 16:51 UTC
    test with 
    Password: unsinn
Enter URL: ;cat .admin

    [download]
    and press q in the lynx.
    Attention on ";" at the start of the "URL"!
[reply]
[d/l]
Re: Is this script safe?
by mt2k (Hermit) on May 25, 2001 at 04:25 UTC
    Added $SIG{INT} = 'IGNORE'; at the top... Blocked CTRL-Z, but not CTRL-C!

    (Just to let you know, I have not yet implemented the script)

[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://83179]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (4)
As of 2021-04-18 12:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found
    Notices?