From owner-freebsd-questions  Mon Apr 13 01:31:16 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA03494
          for freebsd-questions-outgoing; Mon, 13 Apr 1998 01:31:16 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from chippie.cgu.nl (chippie.cgu.nl [145.101.220.7])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA03489
          for <freebsd-questions@FreeBSD.ORG>; Mon, 13 Apr 1998 01:31:12 -0700 (PDT)
          (envelope-from psd@cgu.nl)
Received: from localhost (psd@localhost)
	by chippie.cgu.nl (8.8.7/8.8.7/psd) with SMTP id KAA02562;
	Mon, 13 Apr 1998 10:33:43 +0200 (CEST)
Date: Mon, 13 Apr 1998 10:33:43 +0200 (CEST)
From: Paul Dekkers <psd@cgu.nl>
X-Sender: psd@chippie.cgu
To: Leif Neland <leifn@image.dk>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: password change via the web?!
In-Reply-To: <b15_9804130917@swimsuit.swimsuit.roskildebc.dk>
Message-ID: <Pine.BSF.3.96.980413103012.2552A-100000@chippie.cgu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 12 Apr 1998, Leif Neland wrote:

> At 12 Apr 98 18:45:06 Niall Smart wrote regarding Re: password change via the
> web?!
> 
>  NS> Really?  I hope not :)  Another option would be to make it a
>  NS> suid root shell script BUT with only the web server having
>  NS> execute permission through supplementary groups.
> 
> No need to suid to root, just suid to the user you want to change password for.
> To do that, you need the password for the user.

And to su to another user, you need a program that is suid root, isn't it?
BTW, discovered that 'pw' password changes are possible under perl:
open (PW,"|pw user mod <account> -h 0");
print PW "password\n";
close (PW)
A lot easier... maybe unsafe?
Made a suid root c-prog that executes perl and this script, which also
checks first if the current password of the user is ok...
Now change the c-prog to suid root and a group that only the web-server
can access, and it's "safe"?
(in the suid-root c-prog I first check if the owner really is the one of
the web-server, and maybe I'd check some other things like
HTTP_REFERER...)
Nice idea, or, as always, absolutely unsafe? :-))

Paul

--
Paul Dekkers 
E-Mail: <P.Dekkers@cgu.nl>
To err is human, to moo bovine


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message