 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Derek Atkins wrote:
> It's using expect in a different way and this time it actually looks
> for various errors.
I see the error checks you added, but aside from that, how is it different?
> function changePassword($user, $currpwd, $newpwd) {
...
> // Log conversation for verification
> $log = '/tmp/passwd_' . $user . '_' . time();
I would include code here to "untaint" $user, seeing as you are passing
it on the command line a few times, and that makes you vulnerable to
shell meta character injection.
In Perl I'd do something like:
if ($user =~ tr/A-Za-z0-9//c) {
die "$0: $user: illegal characters\n";
}
(As this is a function, returning an error code and possibly a message
to STDERR would be more appropriate.)
> // Open a handle to expect in write mode
> $p = popen('/usr/bin/expect -f -','w');
You might as well defer this statement to near the end of the function,
as you don't do anything with $p until then.
> $cmd .= "log_file -a \"$log\"\n";
> ...
> return (trim($output[count($output)-2])
> == 'passwd: all authentication tokens updated successfully.') ?
true : false;
Now that you've cleaned up the expect script to return unique exit codes
for each state, you should replace that last line with "return
pclose($p);" and get rid of all the code for generating and processing
the log file.
> $cmd .= "spawn /bin/su $user -c /usr/bin/passwd\n";
> $cmd .= "expect {\n";
> $cmd .= "\"does not exist\" {exit 1}\n";
> $cmd .= "\"assword: \"\n";
> $cmd .= "}\n";
> $cmd .= "send \"$currpwd\\r\"\n";
> $cmd .= "expect {\n";
> $cmd .= "\"incorrect\" {exit 2}\n";
> $cmd .= "\"hanging password for\"\n";
> $cmd .= "}\n";
When you're embedding another language, it is often much cleaner to use
heredoc syntax, which I see PHP supports:
http://us.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
$cmd = <<< EXPECT
spawn /bin/su $user -c /usr/bin/passwd
expect {
"does not exist" {exit 1}
"assword: "
}
send "$currpwd\r"
expect {
"incorrect" {exit 2}
"hanging password for"
}
EXPECT;
A tad more readable...
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
