Date: Mon, 18 Aug 1997 10:27:48 +1000 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Ulf Zimmermann <ulf@Alameda.net> Cc: isp@freebsd.org Subject: Re: Changing password via web ? Message-ID: <Pine.BSF.3.91.970818101834.308U-100000@panda.hilink.com.au> In-Reply-To: <199708172256.PAA23248@Gatekeeper.Alameda.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 17 Aug 1997, Ulf Zimmermann wrote: > Is anyone offering this to their customers ? (certainly via secure server ;-) ) > We have many web/ftp only customers and I don't really want to explain > them how to telnet, just to change their password (as that also is not secure). > So I am looking for a way to let the people change the password via a web page. > Enter old password, twice new password. > > Any tips ? Anyone who is doing this ? I've done this. The problem is that you need a process running as root. There are two ways to do this - 1. run the httpd as root, which is a bad idea; 2. have a setuid program which does the change - this is what I did. I took the passwd sources and changed them so that the username, old password and new password could be passed as environment variables. A simple perl (or C) cgi script parses the form, sets the environment variables and executes the new passwd program. You can't use command line args to passwd, because they are visible using ps(1), whereas environment vars are not visible to other processes. I'm reasonably sure this method is secure, but I'm not guaranteeing it. If anyone can spot a hole in my method, I'd appreciate it if they let me know. I also crippled the hacked passwd so that it would only change passwords of users with uid 100 <= uid <=65000, as an added precaution. Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970818101834.308U-100000>