From owner-freebsd-questions Mon Apr 13 05:15:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA10281 for freebsd-questions-outgoing; Mon, 13 Apr 1998 05:15:43 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-28.waterford.indigo.ie [194.125.139.91]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA10267 for ; Mon, 13 Apr 1998 12:15:35 GMT (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id NAA01166; Mon, 13 Apr 1998 13:15:48 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199804131215.NAA01166@indigo.ie> Date: Mon, 13 Apr 1998 13:15:48 +0000 In-Reply-To: Paul Dekkers "Re: password change via the web?!" (Apr 13, 10:33am) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Paul Dekkers , Leif Neland Subject: Re: password change via the web?! Cc: freebsd-questions@FreeBSD.ORG Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Apr 13, 10:33am, Paul Dekkers wrote: } Subject: Re: password change via the web?! > On 12 Apr 1998, Leif Neland wrote: > > NS> Really? I hope not :) Another option would be to make it a > > NS> suid root shell script BUT with only the web server having > > NS> execute permission through supplementary groups. > > > No need to suid to root, just suid to the user you want to change password for. > > To do that, you need the password for the user. > > And to su to another user, you need a program that is suid root, isn't it? You could use su(1), but you don't need to here. > BTW, discovered that 'pw' password changes are possible under perl: > open (PW,"|pw user mod -h 0"); > print PW "password\n"; > close (PW) > A lot easier... maybe unsafe? As long as you make sure to avoid accepting nasty input (e.g., shell metacharacters) this should be ok. Note that pw needs to be run by root, I would make the perl script setuid root but executable only by the web server. You should be able to verify the existing password using the crypt function. > Nice idea, or, as always, absolutely unsafe? :-)) Well, the passwords are being transferred in the clear over the network, so.. Make sure you build some sanity checking in so that users can't pick stupid passwords. Niall -- Niall Smart. Microsoft Suck. See www.freebsd.org for details. echo "#define if(x) if(!(x))" >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message