Re: User password change using web. Suggestions?

2000-10-27 Thread Daniel Dagneaux 

I have implemented this into sqwebmail + SSL: qmail + mysql + vitual maildir
et authmysql only environment, only the crypted password in DB is checked
for all applications : pop3 + checkpasswd (local) , courier imapd (local)
and sqwebmail+SSL  (web Internet and local).

The user account is created first in the DB (id, primary crypted password,
group, alias and full_name) with phpMyAdmin.

 Sqwebmail create home_dir (home_root predefined + group +id )  and maildirs
for the user in the first Web connection, and allow to modify password and
forwards only (qmail is modified for using forwards in DB). Other connection
are disabled before this first connection.

The administrator QMAIL can change all parameter (password, quota, alias,
full name, expiration, forwards,...) in DB with phpMyAdmin (only one WEB
tools for all administration). Qmail DB tables are synchronized between all
applis.

This is made for our local environment, it is not easy to port in other
case, because I am not a programmer professional (autoconf not used).

Bye

DD

- Original Message -
From: "Philip Tong" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 27, 2000 4:40 AM
Subject: User password change using web. Suggestions?


 What is a good method to allow users to have their mail password changed
 using a Web Browser?

 What are the security issues that I need to look into?

 TIA

Re: User password change using web. Suggestions?

2000-10-27 Thread Sean Reifschneider 

On Fri, Oct 27, 2000 at 10:43:58AM +0800, Philip Tong wrote:
What is a good method to allow users to have their mail password changed
using a Web Browser?

The recent versions of "passwd" on Linux have the ability to change the
password by piping the password in.  This means that changing the system
password of a user can be done fairly easily by program.

What are the security issues that I need to look into?

The typical CGI-sorts of issues you'll need to check for.  You know,
like if the user name entered is "jafo;rm -rf /", you probably don't
want to do: system("su root -c 'passwd %s'" % userName)...

Sean
-- 
 "Isn't having a smoking section in a restaurant kind of like having a
 peeing section in a swimming pool?"  -- David Broadfoot
Sean Reifschneider, Inimitably Superfluous [EMAIL PROTECTED]
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python

RE: User password change using web. Suggestions?

2000-10-27 Thread Wesley Wannemacher 

This may be off base, but I normally set the default shell for most
users to be /bin/passwd. Then spawn a telnet process to the local
machine. Once the process is logged on, the process will be prompted
for a new passwd. This is good, because no one needs root permissions
through the web. I use a combination of Perl and expect to make it
work.

Wes

Wesley A. Wannemacher
[EMAIL PROTECTED]
Instructor, Network Administrator
University of Northwestern Ohio
http://www.unoh.edu

 -Original Message-
 From: Philip Tong [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, October 26, 2000 10:44 PM
 To: [EMAIL PROTECTED]
 Subject: User password change using web. Suggestions?


 What is a good method to allow users to have their mail
 password changed
 using a Web Browser?

 What are the security issues that I need to look into?

 TIA