SUCCESS! Re: PHP change password script

Wed May 27 16:51:26 EDT 2009

Derek Atkins wrote:
> It's using expect in a different way and this time it actually looks
> for various errors.

I see the error checks you added, but aside from that, how is it different?

> function changePassword($user, $currpwd, $newpwd) {
...
>   // Log conversation for verification
>   $log = '/tmp/passwd_' . $user . '_' . time();

I would include code here to "untaint" $user, seeing as you are passing 
it on the command line a few times, and that makes you vulnerable to 
shell meta character injection.

In Perl I'd do something like:
if ($user =~ tr/A-Za-z0-9//c) {
     die "$0: $user: illegal characters\n";
}

(As this is a function, returning an error code and possibly a message 
to STDERR would be more appropriate.)

>   // Open a handle to expect in write mode
>   $p = popen('/usr/bin/expect -f -','w');

You might as well defer this statement to near the end of the function, 
as you don't do anything with $p until then.

>   $cmd .= "log_file -a \"$log\"\n";
> ...
>   return (trim($output[count($output)-2]) 
>      == 'passwd: all authentication tokens updated successfully.') ? 
true : false;

Now that you've cleaned up the expect script to return unique exit codes 
for each state, you should replace that last line with "return 
pclose($p);" and get rid of all the code for generating and processing 
the log file.

>   $cmd .= "spawn /bin/su $user -c /usr/bin/passwd\n";
>   $cmd .= "expect {\n";
>   $cmd .=    "\"does not exist\" {exit 1}\n";
>   $cmd .=    "\"assword: \"\n"; 
>   $cmd .= "}\n";
>   $cmd .= "send \"$currpwd\\r\"\n";
>   $cmd .= "expect {\n";
>   $cmd .=    "\"incorrect\" {exit 2}\n";
>   $cmd .=    "\"hanging password for\"\n";
>   $cmd .= "}\n";

When you're embedding another language, it is often much cleaner to use 
heredoc syntax, which I see PHP supports:
http://us.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc

     $cmd = <<< EXPECT
         spawn /bin/su $user -c /usr/bin/passwd
         expect {
             "does not exist" {exit 1}
             "assword: "
         }
         send "$currpwd\r"
         expect {
            "incorrect" {exit 2}
            "hanging password for"
         }
EXPECT;

A tad more readable...

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/