[thelist] webbased linux password change

Kevin p+evolt at redbrick.dcu.ie
Thu Mar 14 13:04:19 CST 2002

On Thu, Mar 14, 2002 at 11:42:38AM -0700, Dean Mah wrote:
> Authenticating the Linux user and changing their password should be
> done over a secure connection.  telnet and ftp pass data in cleartext
> and so should be avoided.

It should be done, but i'll bet that the client they're dealing with probably
uses FTP anyway, as do most web companies unfortunately.

> Regardless, your script, or part of it, is going to need to run as
> root.  This is always a risk.  You could give complete access to your
> machine if the script isn't secure.  Most times, I don't think it's
> not worth the risk.  But I can be a little paranoid...

Well if you're changing the user's own password, you might be able to do it
using suexec, avoiding any nasty suid CGIs.

- Kevin

More information about the thelist mailing list