Re: password change

From: Michael Austin (maustin_at_firstdbasource.com)
Date: 08/21/04

• Next message: Michael Austin: "Re: String concatenation: why period?"
• Previous message: Chung Leong: "Re: password change"
• In reply to: Max: "password change"
• Next in thread: Max: "Re: password change"
• Reply: Max: "Re: password change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 21 Aug 2004 02:27:50 GMT

Max wrote:
> Hi,
>
> What is the best way to change passwords via php?
>
> I was first thinking of using the chpasswd function, but even though I added
> an entry for apache to be able to run chpassword vi visudo, but I still get
> the following error:
>
> chpasswd: can't lock password file
>
> I've also tried allowing apache to run passwd and get the folloing error:
>
> Only root can do that.
>
> I'm kind of just in the experimenting stage on a development server, so
> security is not an issue yet. But what would be the most secure method, I've
> read so many different opinions?
>
> Thanks,
> Max
>
>

Only root can run passwd and change another users password. You are trying to
run it from the account that owns the web server process (nobody?). That won't
work which you have obviously discovered. If you NEED to do this write the
username and password to a file and have a cron job owned by root to check to
see if the file exist say, every 5 minutes and make the change. I would have 3
things in the file.

the authenticated username HTTP_USER I believe and not entered from a text box.
the newpassword
repeat the new password

I would also create the filenames using <some_unique_identifier>.pwchng and
process any file with that extension.

In your cron script, make sure that root CANNOT be changed using this method.
(if username to be changed is root then exit)

This is off the top of my head and would need to understand what is driving the
request for this type of access and to weigh the pros and cons before
implementing it.

Allowing your password file to be accessed from the web is a very dangerous
thing to consider. IMPO, unless you understand ALL of the ramifications of your
code, I would recommend you find another alternative.

-- 
Michael Austin.
Consultant - Not Available.

• Next message: Michael Austin: "Re: String concatenation: why period?"
• Previous message: Chung Leong: "Re: password change"
• In reply to: Max: "password change"
• Next in thread: Max: "Re: password change"
• Reply: Max: "Re: password change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: password change ... >> I was first thinking of using the chpasswd function, ... >> Only root can do that. ... the PHP technology is there and I want to use it. ... If this is an internal app only (not accessible to the ... (comp.lang.php) [opensuse] Re: OpenSuse 10.2 ... Last night I successfully installed OpenSuse 10.2. ... a root username and password unsuccessfully. ... (SuSE) RE: unable to login as user ... unable to login as user ... Log in as root and look closely at the user account. ... the system just seems to hang and then go back to the username ... (RedHat) Re: theoretical question - can roots username be changed? ... >> called 'root' on any given Linux box, ... >> unrestrained privileges, why would it be feeble to double the ... >> changing his username. ... > try to change the operation of a process already running at UID ... (Fedora) Re: Samba share, authentication ... smbpasswd -a username ... (enter root password). ... My shares are just how I need them. ... local network file sharing". ... (alt.os.linux.suse)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint