[thelist] webbased linux password change
Kevin
p+evolt at redbrick.dcu.ie
Thu Mar 14 13:04:19 CST 2002
On Thu, Mar 14, 2002 at 11:42:38AM -0700, Dean Mah wrote:
> Authenticating the Linux user and changing their password should be
> done over a secure connection. telnet and ftp pass data in cleartext
> and so should be avoided.
It should be done, but i'll bet that the client they're dealing with probably
uses FTP anyway, as do most web companies unfortunately.
> Regardless, your script, or part of it, is going to need to run as
> root. This is always a risk. You could give complete access to your
> machine if the script isn't secure. Most times, I don't think it's
> not worth the risk. But I can be a little paranoid...
Well if you're changing the user's own password, you might be able to do it
using suexec, avoiding any nasty suid CGIs.
*shrug*
- Kevin
More information about the thelist
mailing list