Date: Mon, 13 Apr 1998 00:21:28 +0800 (SGT) From: chas <panda@peace.com.my> To: rotel@indigo.ie, Paul Dekkers <psd@cgu.nl> Cc: Dima Dorfman <webmaster@zwb.net>, freebsd-questions@FreeBSD.ORG Subject: Re: password change via the web?! Message-ID: <3.0.32.19980413004341.00e1ca98@peace.com.my>
next in thread | raw e-mail | index | archive | help
I'm probably using something very foolish, but I have a webpage form going to a CGI script which then opens a connection to poppassd. Yes, I know that the password is then being sent in cleartext, but I figure that that is the case anyway if you use poppassd (eg. doesn't the Eudora client send the password in clear text ?). So, I guess if you are willing to use poppassd, you can use this script. You can pick it up at : http://peace.com.my/archive/pypasswd.tar Very easy to use. Fully commented with instructions. You can actually get an expect script which does exactly the same thing. I just couldn't get it to work so I used python to do the same thing. nb: you will need the python interpreter installed (get it from the ports collection). I could rewrite it in perl for ya but I'm sure others have already done it... and I'm even more sure someone's going to say "don't use this... it's highly insecure" :( chas >} Subject: Re: password change via the web?! >> > > Such a script would be very hard to make secure, because to change a >> > > password, you have to run with root's permissions. >> > >> > Actually, you could use a perl/expect combo to do this without running as >> > root and without hacking the passwd code. >> >> Can you give me an example? >> Tried to play with >> open (PWD, "passwd |"); >> and/or >> open (PWD, "|passwd"); >> (Can't I combine those?) >> but I didn't manage to get things working. > >You need to use the expect utility as Paul mentioned, you can't open >a pipe to passwd. > >> By the way, I'd prefer to have this done under C, because I think I need a >> suid root prog to change a password, and I don't like suidperl because >> people get root realy easy with it. >> Any sulution? > >Really? I hope not :) Another option would be to make it a suid root >shell script BUT with only the web server having execute permission >through supplementary groups. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19980413004341.00e1ca98>