[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't do setuid

>  - Require SSL for the entire transaction.

Yep. I do that. Plus I require that they log in agaist htaccess 

>  - Have the user enter his/her old password, as well as the new password
> twice.

So far, so good :) We're on the same page

>  - Write a program that takes the username, old password, and new
> password on stdin.  It should validate that the old password is correct,
> and then set the user's password to the new one.  I'd probably write the
> helper program in C, but Perl or Python isn't probably too bad as
> security risks if you're not comfortable with writing secure C programs.
>  - Have your CGI take the username, old password, and two new
> passwords.  It should check that the two new passwords match, and then
> run your helper program above, passing the username and passwords over
> the helper's stdin.  If you wrote the helper program in C, you can make
> it setuid; otherwise, you should run it with sudo.

So I guess my next post is to the perl group. I think all of the above is 
pretty doable. The only stumbling block that I see is passing errors from 
the sudo'd app back to the cgi app so that if their original password is 
typed incorrectly, it won't make the change.

thanks -c

To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.