Re: User password change using web. Suggestions?
I have implemented this into sqwebmail + SSL: qmail + mysql + vitual maildir et authmysql only environment, only the crypted password in DB is checked for all applications : pop3 + checkpasswd (local) , courier imapd (local) and sqwebmail+SSL (web Internet and local). The user account is created first in the DB (id, primary crypted password, group, alias and full_name) with phpMyAdmin. Sqwebmail create home_dir (home_root predefined + group +id ) and maildirs for the user in the first Web connection, and allow to modify password and forwards only (qmail is modified for using forwards in DB). Other connection are disabled before this first connection. The administrator QMAIL can change all parameter (password, quota, alias, full name, expiration, forwards,...) in DB with phpMyAdmin (only one WEB tools for all administration). Qmail DB tables are synchronized between all applis. This is made for our local environment, it is not easy to port in other case, because I am not a programmer professional (autoconf not used). Bye DD - Original Message - From: "Philip Tong" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 27, 2000 4:40 AM Subject: User password change using web. Suggestions? What is a good method to allow users to have their mail password changed using a Web Browser? What are the security issues that I need to look into? TIA
Re: User password change using web. Suggestions?
On Fri, Oct 27, 2000 at 10:43:58AM +0800, Philip Tong wrote: What is a good method to allow users to have their mail password changed using a Web Browser? The recent versions of "passwd" on Linux have the ability to change the password by piping the password in. This means that changing the system password of a user can be done fairly easily by program. What are the security issues that I need to look into? The typical CGI-sorts of issues you'll need to check for. You know, like if the user name entered is "jafo;rm -rf /", you probably don't want to do: system("su root -c 'passwd %s'" % userName)... Sean -- "Isn't having a smoking section in a restaurant kind of like having a peeing section in a swimming pool?" -- David Broadfoot Sean Reifschneider, Inimitably Superfluous [EMAIL PROTECTED] tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
RE: User password change using web. Suggestions?
This may be off base, but I normally set the default shell for most users to be /bin/passwd. Then spawn a telnet process to the local machine. Once the process is logged on, the process will be prompted for a new passwd. This is good, because no one needs root permissions through the web. I use a combination of Perl and expect to make it work. Wes Wesley A. Wannemacher [EMAIL PROTECTED] Instructor, Network Administrator University of Northwestern Ohio http://www.unoh.edu -Original Message- From: Philip Tong [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 26, 2000 10:44 PM To: [EMAIL PROTECTED] Subject: User password change using web. Suggestions? What is a good method to allow users to have their mail password changed using a Web Browser? What are the security issues that I need to look into? TIA