[rochester-pm-list] New Member and a question

Wed Dec 22 18:27:28 CST 1999

> >     Hello all! I just discovered this Perl Mongers user group, and look
> > forward to meeting you all at the January meeting! I saw the site. I have
> > to say it's impressive-- I like the use of style sheets for the calendars,
> > and the colors are extremely complementary of each other. I sure do hope
> > you use a perl script to generate those calendars and don't do it by hand
> > for each month.. :->

> Heh.  Sadly, I do them by hand.  A Perl script would be nice, but it only
> takes about 5 minutes every 2 months. :)  I'm glad you like the site
> though.

Ah-- such a script should take just minutes to write! :-> You do have
use of server-side includes on that website, right?

> >     Anyways, what had me searching the web for PERL info that caused me to
> > stumble across this group, is this. I'm writing a script to help in some
> > system administration. It can only be run(or even read) by root, and it's
> > even still hidden in a directory only accessable by root. Currently, I
> > need to run this script by hand, as it calls the 'passwd' command to
> > change a couple passwords. This is tedius, and I'd like to pipe the
> > password in through my script. I know the whole idea of piping to passwd
> > is a possible security hole, and I'm sure that's why it's not working when
> > I try it(I can pipe to other apps just fine). Is there any way around
> > this, or some other way to change the passwords on the system with my
> > script? As for where the passwords to be used are stored, they're stored
> > in an SQL database on the local machine(only accessable on the local
> > machine by a specific user), and they're encrypted. Any suggestions? Thank
> > you!

> Well, there a quite a few ways to do this.  Doing any sort of password
> stuff is a pain though.  One method I've used before is using the
> Net::Telnet module.  You use it to telnet to localhost, log in as that
> user, then you can invoke the passwd program.  The thing with the passwd
> program is that it checks to see if it's on an interactive tty, and won't
> accept input from anything except that.  Net::Telnet acts like an
> interactive tty, so passwd never knows the difference.  This also
> eliminates the need to run suid root.

> One small issue with this method is you need to handle all the possible
> responses that 'passwd' could possibly throw at you, including "password
> too short", etc.  You could read this from the output stream though and
> just pass it right on to the user.
> 
> I think there's also a way to connect Net::Telnet to an already open pty,
> but I've never done it.

Good alternative, but not for me, as the users that I need to change the
passwords for don't have a valid shell(FTP access only). I'd also like to
call this as one of root's Cron jobs at specific intervals. Handling
different output from the passwd function isn't a requirement, as that's
checked before the password can be put into the SQL database-- I would
like to be able to call the passwd file as root, however, so I don't have
to worry about this output. How about telneting to the localhost as
a valid user for this purpose, doing an 'su'(adding one barrier of
security, instead of allowing root access via telnet), and then issueing
passwd with the username? Do you think that would work?

> If this is a 1 time run type of thing, you could just operate on the
> passwd file directly.  It's not as safe, but much easier.

I thought about writing to the passwd file directly, but thought that it
would be a difficult proposition, considering the shadow file, passwd
file, MD5 hashing, etc-- all of which I've never touched before... How
easy would it be?

----

Derek J. Kalweit
http://www.nesfiles.com/

Visit firstlook.com-- an excellent place to try new music!
http://click.linksynergy.com/fs-bin/stat?id=GDiolOztENs&offerid=11036.12&type=4&subid=0