From owner-freebsd-security Thu Feb 28 4:44:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id BA66837B417 for ; Thu, 28 Feb 2002 04:44:45 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1SCidK27952; Thu, 28 Feb 2002 06:44:39 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id GAA23444; Thu, 28 Feb 2002 06:44:38 -0600 (CST) Message-ID: <3C7E2634.87A8D746@centtech.com> Date: Thu, 28 Feb 2002 06:44:36 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Buliwyf McGraw Cc: freebsd-security@freebsd.org Subject: Re: Changing Passwords through the web References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org They way I have done this type of thing in the past, is I have a web/cgi script that takes the users old password, checks it against the password file, takes the new passwords, checks it against a "bad password" list, then I store it, and have a cron job run a separate script (as root) to do the password changing. I feel it protects you against suid web stuff (which I am totally against). If you can write programs well and know how to look for holes of that sort, you should be fine. Eric Buliwyf McGraw wrote: > > Hello friends... > I was using webmin to create users by the web... but i need > to do an interface for users can change them passwords by the > web too. > I can not use webmin, because the webmin user need a password... > i need an open interface, for everyone who wants change his own > password, can do it... > I was thinking on suexec apache service... but in the web site > i found that suexec doesn't support root scripts anymore... > so, i get lost... > > Any question or sugestion is welcome. > Thank you > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message