[thelist] webbased linux password change
Dean Mah
dmah at shaw.ca
Thu Mar 14 12:58:00 CST 2002
Kevin writes:
> On Thu, Mar 14, 2002 at 07:11:26PM +0100, Joxn wrote:
> > Colin Mitchell wrote:
> > > In theory, you could write a Perl script that exec'ed the passwd command.
> > > i'd be pretty careful with it though.
>
> > Yeah, that's the point. I am still hoping that there is a script out
> > there that is tested and as secure as possible.
>
> I'm not sure if you can actually do that since the passwd command requires
> user input. You can't send it a commandline argument AFAIK.
>
> I'm sure there's plenty of workarounds to that problem such as getting the
> perlscript to telnet in and change it, or connect via POP/FTP but i'm not
> entirely sure.
>
> I don't really see how security with it would be anymore of an issue than with
> exececuting anything on the commandline via a CGI.
>
> Personally i'd go the ftp route.
Authenticating the Linux user and changing their password should be
done over a secure connection. telnet and ftp pass data in cleartext
and so should be avoided.
As for user input to the passwd command, you should be able to
automate some things using an expect script or open a pipe to the
command and pass input to it. The other option is to directly change
the /etc/passwd file. If you're using shadow passwords, you'll need
to take that into account as well.
Regardless, your script, or part of it, is going to need to run as
root. This is always a risk. You could give complete access to your
machine if the script isn't secure. Most times, I don't think it's
not worth the risk. But I can be a little paranoid...
Dean
More information about the thelist
mailing list