Re: lug-bg: passwd i chfn prez web?

Peter Pentchev Tue, 01 Jun 2004 09:31:41 -0700

On Tue, Jun 01, 2004 at 07:21:39PM +0300, Peter Pentchev wrote:
> On Tue, Jun 01, 2004 at 06:53:43PM +0300, Vladimir Smolensky wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > 
> > > Проблемът е, че не ми се пише самият уеб-интерфейс, т.е. частта с
> > > апачето.  Трябва ми един супер-прост cgi-скрипт.  Сигурно ви се струва
> > > елементарно, щом не ми подсказвате ;-), но аз никога не съм правил
> > > дори и една уеб-форма.
> > > 
> > > Антон Зиновиев
> > > ============================================================================
> > 
> > 
> > [cut]
> > <?php
> > 
> > if($_REQUEST[pass1] != $_REQUEST[pass2] ) {
> >   echo "passwords do not match";
> >   exit;
> > }
> > // drugi prowerki
> > 
> > $crypted_pass = crypt($_REQUEST[pass1]);
> > 
> > 
> > system ( "....sudo..... usermod -p $crypted_pass $_SESSION[username]", $result);
> 
> Ммм... да, ама какво правиш, когато потребителят ти въведе lusername с
> интервалче или нещо подобно... и се окаже, че интервалът е валиден символ
> за lusernames? :)
> 
> Добре де, ето го и на Perl за всеки случай... и да, чувал съм за модула
> CGI, ама исках да го направя набързо ;)


Аррррргх... Някой ден ще се науча да не правя такива работи: да, .pl файлове
може и да не минат през доста mail филтри :((

Добре де, ето го и inline, след сигнатурката :)

Поздрави,
Петър

-- 
Peter Pentchev  [EMAIL PROTECTED]    [EMAIL PROTECTED]    [EMAIL PROTECTED]
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
When you are not looking at it, this sentence is in Spanish.




#!/usr/bin/perl -wT

=pod

=head1 NAME

changepass.pl - a trivial CGI script for changing passwords

$Ringlet: perl/www/changepass/changepass.pl,v 1.1 2004/06/01 16:21:13 roam Exp $

=head1 DESCRIPTION

Makes an attempt to change a system user's password.

=cut

use strict;

sub get_vars($);
sub change_pass(%);

=pod

=head1 FUNCTIONS

=over 4

=item MAIN

The main routine - examines the parameter string, and if the requireed
parameters are passed in, invokes C<change_pass()>, otherwise invokes
C<display_form()>.

=cut

MAIN:
{
        my ($q, %q);
        
        $q = $ENV{'QUERY_STRING'};
        %q = ();
        %q = get_vars($q) if (defined($q) && $q ne '');
        if (defined($q{'username'}) && defined($q{'password'}) &&
            defined($q{'submit'})) {
                &change_pass(%q);
        } else {
                &display_form();
        }
        exit(0);
}

=pod

=item get_vars($query_string)

Parses a CGI query string into a hash of var/val pairs.

=cut

sub get_vars($)
{
        my $s = $_[0];
        my %h = ();
        my ($key, $val);

        foreach my $v (split(/&/, $s)) {
                $v =~ s/[+|]/ /g;
                ($key, $val) = split(/=/, $v);
                $key =~ s/%([[:xdigit:]]{2})/pack("c",hex($1))/ge;
                $val =~ s/%([[:xdigit:]]{2})/pack("c",hex($1))/ge;
                $h{$key} = $val;
        }
        return %h;
}

=pod

=item display_form()

Display the info entry form.

=cut

sub display_form()
{
        print <<EOF
Content-type: text/html; charset=us-ascii

<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
  <title>Password changer</title>
</head>
<body>
  <h1>Password changer</h1>

  <form method="GET">
  <table border="0">
    <tr>
      <td>Username:</td>
      <td><input type="text" name="username"></td>
    </tr>
    <tr>
      <td>Password:</td>
      <td><input type="text" name="password"></td>
    </tr>
    <tr>
      <td><input type="submit" name="submit" value="Change it"></td>
      <td>&nbsp;</td>
    </tr>
  </table>
  </form>
</body>
</html>
EOF
}

=pod

=item change_pass(%data)

Invokes I<sudo(8)> and I<pw(8)> to change the user's password.  Expects
C<$data{'username'}> and C<$data{'password'}> to be defined.

=cut

sub change_pass(%)
{
        my %h = @_;
        my $pid;

        if ($h{'username'} =~ /^([\w\d_.-]+)$/) {
                $h{'username'} = $1;
        } else {
                $h{'username'} = '';
        }
        delete @ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASHENV'};
        if (!defined($pid = open(PW, '|-'))) {
                die("fork(): $!\n");
        } elsif ($pid == 0) {
                exec('/usr/local/bin/sudo', '/usr/sbin/pw', 'usermod', '-n',
                    $h{'username'}, '-h', '0');
                die("exec(): $!\n");
        }
        print PW "$h{password}\n";
        close(PW);
        print <<EOF
Content-type: text/html; charset=us-ascii

<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
  <title>Password changer</title>
</head>
<body>
  <h1>Password changer</h1>

  <p>An attempt was made to change the password.  No idea whether we made it
    :)</p>
</html>
EOF
}

=pod

=back

=head1 BUGS

=over 4

=item *

no attempt is made to handle or even detect password change errors;

=item *

no attempt is made to authenticate the user before changing the password;

=item *

the I</usr/local/bin/sudo> and I</usr/sbin/pw> locations are hard-coded;

=item *

I believe Anton wanted I<chfn(1)>, too, but oh well ;)

=back

=cut

pgp30XB6wtkkA.pgp
Description: PGP signature

Re: lug-bg: passwd i chfn prez web?

Reply via email to