Date: Sun, 12 Apr 1998 16:45:06 +0000 From: Niall Smart <rotel@indigo.ie> To: Paul Dekkers <psd@cgu.nl>, "Three goddesses, Venus figures" <douglas@speakeasy.org> Cc: Dima Dorfman <webmaster@zwb.net>, freebsd-questions@FreeBSD.ORG Subject: Re: password change via the web?! Message-ID: <199804121545.QAA01285@indigo.ie> In-Reply-To: Paul Dekkers <psd@cgu.nl> "Re: password change via the web?!" (Apr 12, 1:34pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 12, 1:34pm, Paul Dekkers wrote: } Subject: Re: password change via the web?! > > > Such a script would be very hard to make secure, because to change a > > > password, you have to run with root's permissions. > > > > Actually, you could use a perl/expect combo to do this without running as > > root and without hacking the passwd code. > > Can you give me an example? > Tried to play with > open (PWD, "passwd |"); > and/or > open (PWD, "|passwd"); > (Can't I combine those?) > but I didn't manage to get things working. You need to use the expect utility as Paul mentioned, you can't open a pipe to passwd. > By the way, I'd prefer to have this done under C, because I think I need a > suid root prog to change a password, and I don't like suidperl because > people get root realy easy with it. > Any sulution? Really? I hope not :) Another option would be to make it a suid root shell script BUT with only the web server having execute permission through supplementary groups. -- Niall Smart. Microsoft Suck. See www.freebsd.org for details. echo "#define if(x) if(!(x))" >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804121545.QAA01285>