[rochester-pm-list] New Member and a question

The Whytes whyte at eznet.net
Wed Dec 22 21:41:46 CST 1999 

I think your on the right track . There was a similar problem discussed in tpj at

http://www.itknowledge.com/tpj/programs/Issue_10_CGI/passwd.



Derek Kalweit wrote:

> > >     Hello all! I just discovered this Perl Mongers user group, and look
> > > forward to meeting you all at the January meeting! I saw the site. I have
> > > to say it's impressive-- I like the use of style sheets for the calendars,
> > > and the colors are extremely complementary of each other. I sure do hope
> > > you use a perl script to generate those calendars and don't do it by hand
> > > for each month.. :->
>
> > Heh.  Sadly, I do them by hand.  A Perl script would be nice, but it only
> > takes about 5 minutes every 2 months. :)  I'm glad you like the site
> > though.
>
> Ah-- such a script should take just minutes to write! :-> You do have
> use of server-side includes on that website, right?
>
> > >     Anyways, what had me searching the web for PERL info that caused me to
> > > stumble across this group, is this. I'm writing a script to help in some
> > > system administration. It can only be run(or even read) by root, and it's
> > > even still hidden in a directory only accessable by root. Currently, I
> > > need to run this script by hand, as it calls the 'passwd' command to
> > > change a couple passwords. This is tedius, and I'd like to pipe the
> > > password in through my script. I know the whole idea of piping to passwd
> > > is a possible security hole, and I'm sure that's why it's not working when
> > > I try it(I can pipe to other apps just fine). Is there any way around
> > > this, or some other way to change the passwords on the system with my
> > > script? As for where the passwords to be used are stored, they're stored
> > > in an SQL database on the local machine(only accessable on the local
> > > machine by a specific user), and they're encrypted. Any suggestions? Thank
> > > you!
>
> > Well, there a quite a few ways to do this.  Doing any sort of password
> > stuff is a pain though.  One method I've used before is using the
> > Net::Telnet module.  You use it to telnet to localhost, log in as that
> > user, then you can invoke the passwd program.  The thing with the passwd
> > program is that it checks to see if it's on an interactive tty, and won't
> > accept input from anything except that.  Net::Telnet acts like an
> > interactive tty, so passwd never knows the difference.  This also
> > eliminates the need to run suid root.
>
> > One small issue with this method is you need to handle all the possible
> > responses that 'passwd' could possibly throw at you, including "password
> > too short", etc.  You could read this from the output stream though and
> > just pass it right on to the user.
> >
> > I think there's also a way to connect Net::Telnet to an already open pty,
> > but I've never done it.
>
> Good alternative, but not for me, as the users that I need to change the
> passwords for don't have a valid shell(FTP access only). I'd also like to
> call this as one of root's Cron jobs at specific intervals. Handling
> different output from the passwd function isn't a requirement, as that's
> checked before the password can be put into the SQL database-- I would
> like to be able to call the passwd file as root, however, so I don't have
> to worry about this output. How about telneting to the localhost as
> a valid user for this purpose, doing an 'su'(adding one barrier of
> security, instead of allowing root access via telnet), and then issueing
> passwd with the username? Do you think that would work?
>
>
> > If this is a 1 time run type of thing, you could just operate on the
> > passwd file directly.  It's not as safe, but much easier.
>
> I thought about writing to the passwd file directly, but thought that it
> would be a difficult proposition, considering the shadow file, passwd
> file, MD5 hashing, etc-- all of which I've never touched before... How
> easy would it be?
>
> ----
>
> Derek J. Kalweit
> http://www.nesfiles.com/
>
> Visit firstlook.com-- an excellent place to try new music!
> http://click.linksynergy.com/fs-bin/stat?id=GDiolOztENs&offerid=11036.12&type=4&subid=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pm.org/archives/rochester-pm/attachments/19991222/2cf87322/attachment.htm

More information about the Rochester-pm mailing list