Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Derek Atkins wrote: > Hey, > > I've got a linux box running some applications that require > a "local account" (in /etc/passwd) to authenticate users. > However I don't want to enable shell access, so I have those > users' shell set to /sbin/nologin. However I want to provide > a way for these users to change their local password.... > > Does anyone have a good script for a webapp to let people > change their local password? I did find a PHP script but it > requires sudo which I consider unsafe. Rather than have the apache user call sudo /usr/bin/passwd write a script to perform the change password with 2 args, username and new password. Then allow the apache user to only sudo the script. sanitize the input. That same page also > had a PHP function to call out to expect so that you don't > need sudo, but it doesn't gracefully handle an incorrect username > or incorrect "Old Password". /etc/passwd is readable. before executing the change password script check the file for the username entered in your web form. Callin the script with sudo removes the need to enter the old password. If the user supplies an incorrect > entry then the next entry gets printed into my http error log: take a look at mod_auth_pam . Require the use to login before getting the form to change their password. Since the user is logged in there is no need to check or prompt for the old password. > > send: spawn id exp16 not open > while executing > "send "xxx\r"" > > So I'm asking the greater Boston inteligencia for any suggestions or > pointers, or perhaps help with my expect script (see PHP function below) > > Thanks, > > -derek > > // change the password for the user > function changePassword($user, $currpwd, $newpwd) { > $cmd = ""; > > // Open a handle to expect in write mode > $p = popen('/usr/bin/expect','w'); > > // Log conversation for verification > $log = '/tmp/passwd_' . $user . '_' . time(); > $cmd .= "log_file -a \"$log\"; "; > > // Spawn the change-passwd command as $user > $cmd .= "spawn /bin/su $user -c /usr/bin/passwd; "; > $cmd .= "expect \"Password:\"; "; > $cmd .= "send \"$currpwd\\r\"; "; > > // Change the unix password > $cmd .= "expect \"(current) UNIX password:\"; "; > $cmd .= "send \"$currpwd\\r\"; "; > $cmd .= "expect \"Enter new UNIX password:\"; "; > $cmd .= "send \"$newpwd\\r\"; "; > $cmd .= "expect \"Retype new UNIX password:\"; "; > $cmd .= "send \"$newpwd\\r\"; "; > $cmd .= "expect \"passwd: password updated successfully\"; "; > > // Commit the command to expect & close > fwrite($p, $cmd); pclose ($p); > > // Read & delete the log > $fp = fopen($log,'r'); > $output = fread($fp, 2048); > fclose($fp); unlink($log); > $output = explode("\n",$output); > > return (trim($output[count($output)-2]) == 'passwd: password updated successfully') ? true : false; > } >
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |