procmail
[Top] [All Lists]

Re: WWW frontend to procmail?

1998-02-06 19:33:55
On Fri, 6 Feb 1998, Andrej Borsenkow wrote:
As related question, any CGI script to change user's password without
login? (Yes, I am aware of all security implications)

Tricky. You'll need to make sure you can run a suid cgi script, which
under suexec and Apache makes for a little work (you need a wrapper script
which execs the suid program). Then, it's a simple matter of verifying the
old password (grab their password from /etc/passwd, or from NIS/NIS+, and
compare it with a crypt of the old password preceded by the salt from the
old NIS/NIS+/passwd password (the first two characters of it is the
salt)).

If that test passes, go ahead and change the password.

It's pretty basic Perl Scripting 101. :-) For your assignment, implement
the above in C without any obvious buffer overruns. Extra credit for
posting it to BUGTRAQ and not having it torn apart inside of a week. :-)

Since I'm already waaaaaay offtopic for the procmail list, here's an
example of how I'm doing this under NIS with perl (you'll need the NIS
module from CPAN):

require Net::NIS::Table;
sub valid_user
{
        my ( $username, $password ) = @_

        my $passwd = Net::NIS::Table->new( 'passwd.byname' );
        my $x = $passwd->match( $username );

        if( ! $x )
        {
                return 0;
        }

        my @ypuser = split( /:/, $x );

        if( crypt( $password, substr( $ypuser[ 1 ], 0, 2 ) ) ne $ypuser[ 1 ] )
        {
                return 0;
        }
        return 1;
}

No guarantees about the above; it's just a quick hack for doing password
verification. Pull the NIS stuff and replace it with a simple /etc/passwd
or /etc/shadow (ah, for getspent() in perl) if you're not running NIS. Or,
if you're using NIS+, replace the NIS stuff with the appropriate
replacements from the NIS+ package on CPAN.

-- 
-------------------.  emarshal at logic.net  .---------------------------------
Edward S. Marshall  `-----------------------'   http://www.logic.net/~emarshal/

      Spammers: Please email my blacklisting service at 
"spam(_at_)logic(_dot_)net".

<Prev in Thread] Current Thread [Next in Thread>