Date: Wed, 7 Apr 1999 15:50:56 +1000 (EST) From: "Daniel O'Callaghan" <danny@hilink.com.au> To: "W. Reilly Cooley" <wcooley@nakedape.navi.net> Cc: freebsd-isp@freebsd.org Subject: Re: Web Based Script Message-ID: <Pine.BSF.4.10.9904071543390.54455-100000@enya.clari.net.au> In-Reply-To: <Pine.LNX.4.10.9903292024350.26067-100000@rheingold>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Mar 1999, W. Reilly Cooley wrote: > I've considered a web-based interface for users to modify their > configurations (mail forwarding, etc), but giving users access using their > UNIX passwords through a web interface is a /big/ security hole. See > http://www.apache.org/docs/misc/FAQ.html#passwdauth for an explanation. > This might be reasonable, if, for example, you only permit access from > within your net block. But even then it's sketchy... No more problematic than POP, and at least with web you can do it via SSL using https rather than plaintext http. Apache won't read /etc/master.password as a .htpasswd file, but it is easy to perl/awk out the first two fields into a separate .htpasswd file. While you are at it, only put dialup users' names/passwords into the .htpasswd file, so that staff/admin accounts passwords are not available for probing. Something like the script below, which can be run every 15 minutes from cron, to keep it up to date. Danny #!/usr/bin/perl open( M, "/etc/master.passwd"); open( N, "> /var/db/ht.passwd.new"); chmod 0640, "/var/db/ht.passwd.new"; # Assumes general users have uid 5000-9999 while(<M>) { ($uname, $passwd, $uid, $gid, $class) = split (':'); print U "$uname:$passwd\n" if( $uid >= 5000 && $uid < 10000); } rename("/var/db/ht.passwd.new", "/var/db/ht.passwd"); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9904071543390.54455-100000>