I'm implementing a login page with cgi. I was able to retrieve the login and password correctly, yet I am unsure of how to change to that user. I am using httpd apache.
After researching possible ways to do this, I've seen that suexec could be used to solve this issue but I'm a bit unclear on how to use it.
This is the cgi code I have:
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo '<html>'
echo '<head>'
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'
echo '<title>Form Example</title>'
echo '</head>'
echo '<body>'
echo "<form method=GET action=\"${SCRIPT}\">"\
'<table nowrap>'\
'<tr><td>Username</TD><TD><input type="text" name="val_x" size=12></td></tr>'\
'<tr><td>Password</td><td><input type="password" name="val_y" size=12 value=""></td>'\
'</tr></table>'
echo '<br><input type="submit" value="Login">'\
'</form>'
# Make sure we have been invoked properly.
if [ "$REQUEST_METHOD" != "GET" ]; then
echo "<hr>Script Error:"\
"<br>Usage error, cannot complete request, REQUEST_METHOD!=GET."\
"<br>Check your FORM declaration and be sure to use METHOD=\"GET\".<hr>"
exit 1
fi
# If no search arguments, exit gracefully now.
if [ -z "$QUERY_STRING" ]; then
exit 0
else
# No looping this time, just extract the data you are looking for with sed:
XX=`echo "$QUERY_STRING" | sed -n 's/^.*val_x=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
YY=`echo "$QUERY_STRING" | sed -n 's/^.*val_y=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
echo "val_x: " $XX
echo '<br>'
echo "val_y: " $YY
su $XX -p $YY #I know this is not the best way to login but I'm using it for testing purposes
echo ""
echo `whoami`
echo `pwd`
fi
echo '</body>'
echo '</html>'
exit 0
Whenever I try the "whoami" always returns apache.
This is the link where I've got part of the code: http://www.yolinux.com/TUTORIALS/BashShellCgi.html
0 Answers