From owner-freebsd-questions  Sun Apr 12 08:45:13 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA18923
          for freebsd-questions-outgoing; Sun, 12 Apr 1998 08:45:13 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from indigo.ie (nsmart@ts01-62.waterford.indigo.ie [194.125.139.125])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA18914
          for <freebsd-questions@FreeBSD.ORG>; Sun, 12 Apr 1998 08:45:04 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id QAA01285;
	Sun, 12 Apr 1998 16:45:06 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199804121545.QAA01285@indigo.ie>
Date: Sun, 12 Apr 1998 16:45:06 +0000
In-Reply-To: Paul Dekkers <psd@cgu.nl>
       "Re: password change via the web?!" (Apr 12,  1:34pm)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Paul Dekkers <psd@cgu.nl>,
        "Three goddesses, Venus figures" <douglas@speakeasy.org>
Subject: Re: password change via the web?!
Cc: Dima Dorfman <webmaster@zwb.net>, freebsd-questions@FreeBSD.ORG
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Apr 12,  1:34pm, Paul Dekkers wrote:
} Subject: Re: password change via the web?!
> > > Such a script would be very hard to make secure, because to change a
> > > password, you have to run with root's permissions.
> > 
> > Actually, you could use a perl/expect combo to do this without running as
> > root and without hacking the passwd code.
> 
> Can you give me an example?
> Tried to play with
> open (PWD, "passwd |");
> and/or
> open (PWD, "|passwd");
> (Can't I combine those?)
> but I didn't manage to get things working.

You need to use the expect utility as Paul mentioned, you can't open
a pipe to passwd.

> By the way, I'd prefer to have this done under C, because I think I need a
> suid root prog to change a password, and I don't like suidperl because
> people get root realy easy with it.
> Any sulution?

Really?  I hope not :)  Another option would be to make it a suid root
shell script BUT with only the web server having execute permission
through supplementary groups.



-- 
Niall Smart.  Microsoft Suck.  See www.freebsd.org for details.
echo "#define if(x) if(!(x))" >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message