[PHP] Change linux password using php
What is the best way to change linux passwords using a web .PHP interface? I currently allow FTP access to php enabled webhosting sites; which use safe mode, thus use real linux accounts. Thus far I thought I would: Write a real short C program which would call allow to go setpasswd passwd could perhaps be the crypt() version to provide better security? it would just call passwd, and ensure that username is not 'root' and a few other accounts ;) Then I would put that program within the directory of executables allowed in safe mode. And just have a plain http post form to update the password, running over HTTPS. Does this seem a good plan ... or are there better? It also begs the question; how do I authenticate an account using php ... to login to their 'change password' feature? I have already spent alot of time trying to merge password files for different uses; Windows shares, Linux ones, for samba, and this and that, so it'd be nice to now have yet another passwd file :) Siggy -- Sigurd Magnusson Director www.totallydigital.co.nz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: Restrict where PHP is Usable?
Richard Lynch wrote: > httpd.conf > php_value Engine Off or somesuch... > > -- > WARNING [EMAIL PROTECTED] address is an endangered species -- Use > [EMAIL PROTECTED] > Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm > Volunteer a little time: http://chatmusic.com/volunteer.htm its "php_flag engine off" --- You might be interested in this too: Copied from http://www.php.net/manual/en/features.safe-mode.php If you do virutal hosting, you can turn safe mode on and off for different Apache Virutal Hosts using the php_admin_value directive. This also allows you to have customised maximum execution times, disabled functions, etc. By placeing a base_dir for each virutal host, this means PHP CANNOT access files below this heirachy; strongly recoomended for cutsomer hosting. Eg: [VirtualHost 127.0.0.1:80] DocumentRoot /var/www/html/safephphost/ ServerName safephp php_admin_value safe_mode 1 php_admin_value open_base_dir /var/www/html/safephphost/ php_admin_value sendmail_from phobo#paradise.net.nz [/VirtualHost] Siggy > - Original Message - > From: Matthew Walker <[EMAIL PROTECTED]> > Newsgroups: php.general > To: <[EMAIL PROTECTED]> > Sent: Tuesday, October 02, 2001 4:30 PM > Subject: Restrict where PHP is Usable? > > >> I've seen this done before on servers, but I'm not sure how to do it. >> >> Is there a way to restrict PHP to certain directories, so that it can >> only be used by files within those directories? >> >> For example: I'm starting a web page hosting service, and I'd like to >> make it so that most users can't use PHP. They'll have to pay a (very >> small) monthly fee to have access to it. This is partly as a very loose >> security measure, so that not everyone has access to PHP. >> >> -- >> Matthew Walker >> Ecommerce Project Manager >> Mountain Top Herbs >> >> --- >> Outgoing mail is certified Virus Free. >> Checked by AVG anti-virus system (http://www.grisoft.com). >> Version: 6.0.282 / Virus Database: 150 - Release Date: 9/25/2001 >> >> > > -- Sigurd Magnusson Director www.totallydigital.co.nz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Change linux password using php
Thanks for the replies, Don't worry about the Mandrake specific stuff; I'm on Redhat. although it seems to the same as what you're talking about; My shadow is in format: fakeaccount:$1$5PXJfLSQ$LSxsnZfHzBrkDdT2NZefK.:11600:0:9:7::: (the password was 'password') I probably would not have the .php script make the changes; it would need to run as root and I can't have that. I would make a simple C program which would go 'changepwd ' as i said before. this means i can have that run as root, and -know- all it will do is change passwords. Yeah I would probably put the requirement to put in old password as well, although to get to that screen you need to get there anyway ... Evan Nemerson wrote: > Here's what I got from the mandrake security mailing list so far: > > > > > This is strange. I was just going to write a mail to this list about > this. it seems that /etc/shadow accepts both crypt passwords (the short > passwd) and MD5 passwords. (34 characters with $ and slashes does seem > to me like md5). I found this because I was transferring users between > servers so I copy and pasted the passwords and it worked on both > occasions. very strange... > > Bye > -- > Haim > > On Thu, Oct 04, 2001 at 11:07:57PM -0700, Evan Nemerson wrote: >> Does anyone know what algorithm is used on the passwords in the >> /etc/shadow or /etc/passwd files? All the documentation I can find says >> crypt is used with two characters of salt which should output 13 >> characters. However my shadow file shows 34 character strings with dollar >> signs and slashes (shouldn't the output be alpha-numeric???). I already >> checked md5- nope. >> >> Please reply to my e-mail address since i don't subscribe to this list >> (sorry, but i get enough php-general to keep me busy). >> >> >> Thanks in advance, >> Evan Nemerson >> >> > -- Sigurd Magnusson Chief Programmer, Director Totally Digital -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
