Date: Mon, 13 Apr 1998 10:33:43 +0200 (CEST) From: Paul Dekkers <psd@cgu.nl> To: Leif Neland <leifn@image.dk> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: password change via the web?! Message-ID: <Pine.BSF.3.96.980413103012.2552A-100000@chippie.cgu> In-Reply-To: <b15_9804130917@swimsuit.swimsuit.roskildebc.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12 Apr 1998, Leif Neland wrote: > At 12 Apr 98 18:45:06 Niall Smart wrote regarding Re: password change via the > web?! > > NS> Really? I hope not :) Another option would be to make it a > NS> suid root shell script BUT with only the web server having > NS> execute permission through supplementary groups. > > No need to suid to root, just suid to the user you want to change password for. > To do that, you need the password for the user. And to su to another user, you need a program that is suid root, isn't it? BTW, discovered that 'pw' password changes are possible under perl: open (PW,"|pw user mod <account> -h 0"); print PW "password\n"; close (PW) A lot easier... maybe unsafe? Made a suid root c-prog that executes perl and this script, which also checks first if the current password of the user is ok... Now change the c-prog to suid root and a group that only the web-server can access, and it's "safe"? (in the suid-root c-prog I first check if the owner really is the one of the web-server, and maybe I'd check some other things like HTTP_REFERER...) Nice idea, or, as always, absolutely unsafe? :-)) Paul -- Paul Dekkers E-Mail: <P.Dekkers@cgu.nl> To err is human, to moo bovine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980413103012.2552A-100000>