473,320 Members | 1,861 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

password change

Max
Hi,

What is the best way to change passwords via php?

I was first thinking of using the chpasswd function, but even though I added
an entry for apache to be able to run chpassword vi visudo, but I still get
the following error:

chpasswd: can't lock password file

I've also tried allowing apache to run passwd and get the folloing error:

Only root can do that.

I'm kind of just in the experimenting stage on a development server, so
security is not an issue yet. But what would be the most secure method, I've
read so many different opinions?

Thanks,
Max
Jul 17 '05 #1
3 4565

"Max" <ma*@NOSPAMkipness.com> wrote in message
news:F2*****************@newssvr17.news.prodigy.co m...
Hi,

What is the best way to change passwords via php?

I was first thinking of using the chpasswd function, but even though I added an entry for apache to be able to run chpassword vi visudo, but I still get the following error:

chpasswd: can't lock password file

I've also tried allowing apache to run passwd and get the folloing error:

Only root can do that.

I'm kind of just in the experimenting stage on a development server, so
security is not an issue yet. But what would be the most secure method, I've read so many different opinions?

Thanks,
Max


suexec?
Jul 17 '05 #2
Max wrote:
Hi,

What is the best way to change passwords via php?

I was first thinking of using the chpasswd function, but even though I added
an entry for apache to be able to run chpassword vi visudo, but I still get
the following error:

chpasswd: can't lock password file

I've also tried allowing apache to run passwd and get the folloing error:

Only root can do that.

I'm kind of just in the experimenting stage on a development server, so
security is not an issue yet. But what would be the most secure method, I've
read so many different opinions?

Thanks,
Max


Only root can run passwd and change another users password. You are trying to
run it from the account that owns the web server process (nobody?). That won't
work which you have obviously discovered. If you NEED to do this write the
username and password to a file and have a cron job owned by root to check to
see if the file exist say, every 5 minutes and make the change. I would have 3
things in the file.

the authenticated username HTTP_USER I believe and not entered from a text box.
the newpassword
repeat the new password

I would also create the filenames using <some_unique_identifier>.pwchng and
process any file with that extension.

In your cron script, make sure that root CANNOT be changed using this method.
(if username to be changed is root then exit)

This is off the top of my head and would need to understand what is driving the
request for this type of access and to weigh the pros and cons before
implementing it.

Allowing your password file to be accessed from the web is a very dangerous
thing to consider. IMPO, unless you understand ALL of the ramifications of your
code, I would recommend you find another alternative.
--
Michael Austin.
Consultant - Not Available.
Jul 17 '05 #3
Max
> > What is the best way to change passwords via php?

I was first thinking of using the chpasswd function, but even though I added an entry for apache to be able to run chpassword vi visudo, but I still get the following error:

chpasswd: can't lock password file

I've also tried allowing apache to run passwd and get the folloing error:
Only root can do that.

I'm kind of just in the experimenting stage on a development server, so
security is not an issue yet. But what would be the most secure method, I've read so many different opinions?
Only root can run passwd and change another users password. You are trying to run it from the account that owns the web server process (nobody?). That won't work which you have obviously discovered. If you NEED to do this write the username and password to a file and have a cron job owned by root to check to see if the file exist say, every 5 minutes and make the change. I would have 3 things in the file.

the authenticated username HTTP_USER I believe and not entered from a text box. the newpassword
repeat the new password

I would also create the filenames using <some_unique_identifier>.pwchng and process any file with that extension.

In your cron script, make sure that root CANNOT be changed using this method. (if username to be changed is root then exit)

This is off the top of my head and would need to understand what is driving the request for this type of access and to weigh the pros and cons before
implementing it.


What is driving this is the need for a tech staff to be able to change
sendmail passwords via a web application. These are Microsoft people that
are not going to be able to/want to ssh to the server to change passwords.
Plus, the PHP technology is there and I want to use it. I have a very nice
application for managing Sendmail that is in the works and I'm just trying
to figure out the best approach for running the following commands,
chpasswd, adduser, usermod.

I've read about the 'writing to a file' approach and although it seems like
the most secure option, I don't like the fact that if someone in one of our
hosted domains changes a users password, he has to wait 5 minutes. I'd like
it to be instantaneous. Any idea what the impact would be on resources to
run a cron job every 1 minute that runs a perl script that parses a file
looking for new users, changes to user data (usermod) and password changes?
Would it be minimal enough to consider as a viable option?

What I've done that has made it work, is setuid on chgpasswd (chmod 4755
/usr/sbin/chpasswd). If this is an internal app only (not accessible to the
internet) would this be a big concern? If this were accessible to the
internet, how might someone run chgpasswd outside of the app? By trying to
pipe the command just from the browser address bar? The app would obviously
have authentication and be served via SSL.

Thanks,
Max
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: arktikturtle | last post by:
Hi! I'm looking for a way to validate a password within PL/SQL. I want to write CREATE PROCEDURE change_password(old_password IN VARCHAR2) IS BEGIN -- check if old_password is correct... but...
1
by: Mindy Geac | last post by:
Hello, I'm seaching for the possibility to change Domain/User passwords. And a check for users if the password has to change with the first logon or when the password is expired. thanx, ...
2
by: MLH | last post by:
What's the simplest way to allow a user of an A97 app to change password?
10
by: Fabrizio | last post by:
(Sorry for the crosspost, but I really don't know which is the right newsgroup!) Hi all, I try to change the password to a user that as to change the password at first logon: try {
2
by: Drew Pawlik | last post by:
I am needing to write an application that will be used every month to automatically run queries on an Oracle database. But the password I need to log in to the database needs to be changed every...
5
by: scorpion53061 | last post by:
is it possible to set the database password that you can set in access for a database from a vb.net application?
0
by: GregS | last post by:
We have a client that has a very large number of users that will be connecting back to the domain via VPN only. The problem is that the communications vendor can not pass the password expiration...
2
by: J | last post by:
Hello. I apologize if this isn't the appropriate group for this question but I was wondering if it's possible to allow regular windows domain users to change their passwords through an .asp page? ...
1
by: eighthman11 | last post by:
Hi everyone: I created a custom toolbar called Password, so users can change their password. I used the Command "User and Group Accounts". I know the user can not change anything in the Tab...
2
by: bemytthm | last post by:
I just want to ask abt communicate with AD using ASP.net. I would want to ask you all to help me correct a problem like this: This is a code i use to change password on AD public bool...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.