Date: Mon, 13 Apr 1998 13:15:48 +0000 From: Niall Smart <rotel@indigo.ie> To: Paul Dekkers <psd@cgu.nl>, Leif Neland <leifn@image.dk> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: password change via the web?! Message-ID: <199804131215.NAA01166@indigo.ie> In-Reply-To: Paul Dekkers <psd@cgu.nl> "Re: password change via the web?!" (Apr 13, 10:33am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 13, 10:33am, Paul Dekkers wrote: } Subject: Re: password change via the web?! > On 12 Apr 1998, Leif Neland wrote: > > NS> Really? I hope not :) Another option would be to make it a > > NS> suid root shell script BUT with only the web server having > > NS> execute permission through supplementary groups. > > > No need to suid to root, just suid to the user you want to change password for. > > To do that, you need the password for the user. > > And to su to another user, you need a program that is suid root, isn't it? You could use su(1), but you don't need to here. > BTW, discovered that 'pw' password changes are possible under perl: > open (PW,"|pw user mod <account> -h 0"); > print PW "password\n"; > close (PW) > A lot easier... maybe unsafe? As long as you make sure to avoid accepting nasty input (e.g., shell metacharacters) this should be ok. Note that pw needs to be run by root, I would make the perl script setuid root but executable only by the web server. You should be able to verify the existing password using the crypt function. > Nice idea, or, as always, absolutely unsafe? :-)) Well, the passwords are being transferred in the clear over the network, so.. Make sure you build some sanity checking in so that users can't pick stupid passwords. Niall -- Niall Smart. Microsoft Suck. See www.freebsd.org for details. echo "#define if(x) if(!(x))" >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804131215.NAA01166>