NYCPHP Meetup

NYPHP.org

[nycphp-talk] Changing UNIX shadow passwords with PHP

Rolan Yang rolan at omnistep.com
Tue Mar 15 14:20:17 EST 2005


Look into sudo. You can sudo the "/usr/bin/passwd" file so that it can 
be run as the user of your apache (probably "nobody" or "apache" or 
"http"), then do a
system("/usr/bin/passwd $user $password");
in php. This method would make a sysadmin a bit nervous though.

Another safer way to go about it would be to append all password 
requests to a designated file, in the format "username:password" then 
create a root owned cron script which runs "/usr/sbin/chpasswd 
<thefile>" every minute or so. You would want to employ some method of 
file locking within the cron script and also the php script because if 
the job runs while the php script is writing to the file, odd things can 
happen.

~Rolan

Atul Ohri wrote:

> Hey Everyone…
>
> I’ve been trying to figure out a simple yet secure way to allow user’s 
> with mailboxes on any of our servers to change their passwords via the 
> web. I have done extensive research on the web and haven’t found 
> anything promising regarding doing this in PHP. It seems I may be able 
> to accomplish it with a Perl script and then I could wrap that Perl 
> script around a PHP interface but I’m not even sure that would work. 
> The passwords are stored in a shadow passwd file format so however I 
> accomplish this I would have to change to root to make changes to the 
> /etc/shadow file. Would I have to use SUID to accomplish this? Does 
> anyone know of any PHP scripts that could help me accomplish my goal? 
> I’m sure someone somewhere has the need for a script like this… 
> Naturally all of this would take place over a secure connection.
>
> So does anyone have any advice on how I can accomplish this in PHP?
>
> Atul
>
>------------------------------------------------------------------------
>
>  
>



More information about the talk mailing list