Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PHP script (or other webapp) to allow users to change their password




Derek Atkins wrote:
> Hey,
> 
> I've got a linux box running some applications that require
> a "local account" (in /etc/passwd) to authenticate users.
> However I don't want to enable shell access, so I have those
> users' shell set to /sbin/nologin.   However I want to provide
> a way for these users to change their local password....
> 
> Does anyone have a good script for a webapp to let people
> change their local password?  I did find a PHP script but it
> requires sudo which I consider unsafe.

Rather than have the apache user call sudo /usr/bin/passwd write a 
script to perform the change password with 2 args, username and new 
password. Then allow the apache user to only sudo the script. sanitize 
the input.

   That same page also
> had a PHP function to call out to expect so that you don't
> need sudo, but it doesn't gracefully handle an incorrect username
> or incorrect "Old Password".

/etc/passwd is readable. before executing the change password script 
check the file for the username entered in your web form. Callin the 
script with sudo removes the need to enter the old password.


   If the user supplies an incorrect
> entry then the next entry gets printed into my http error log:


take a look at mod_auth_pam . Require the use to login before getting 
the form to change their password. Since the user is logged in there is 
no need to check or prompt for the old password.


> 
> send: spawn id exp16 not open
>     while executing
> "send "xxx\r""
> 
> So I'm asking the greater Boston inteligencia for any suggestions or
> pointers, or perhaps help with my expect script (see PHP function below)
> 
> Thanks,
> 
> -derek
> 
> // change the password for the user
> function changePassword($user, $currpwd, $newpwd) {
>   $cmd = "";
> 
>   // Open a handle to expect in write mode
>   $p = popen('/usr/bin/expect','w');
> 
>   // Log conversation for verification
>   $log = '/tmp/passwd_' . $user . '_' . time();
>   $cmd .= "log_file -a \"$log\"; ";
> 
>   // Spawn the change-passwd command as $user
>   $cmd .= "spawn /bin/su $user -c /usr/bin/passwd; ";
>   $cmd .= "expect \"Password:\"; ";
>   $cmd .= "send \"$currpwd\\r\"; ";
> 
>   // Change the unix password
>   $cmd .= "expect \"(current) UNIX password:\"; ";
>   $cmd .= "send \"$currpwd\\r\"; ";
>   $cmd .= "expect \"Enter new UNIX password:\"; ";
>   $cmd .= "send \"$newpwd\\r\"; ";
>   $cmd .= "expect \"Retype new UNIX password:\"; ";
>   $cmd .= "send \"$newpwd\\r\"; ";
>   $cmd .= "expect \"passwd: password updated successfully\"; ";
> 
>   // Commit the command to expect & close
>   fwrite($p, $cmd); pclose ($p);
> 
>   // Read & delete the log
>   $fp = fopen($log,'r');
>   $output = fread($fp, 2048);
>   fclose($fp); unlink($log);
>   $output = explode("\n",$output);
> 
>   return (trim($output[count($output)-2]) == 'passwd: password updated successfully') ? true : false;
> }
> 






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org