Re: Can't do setuid

[Charles Menzes <charles@lunarmedia.net>]

>  - Require SSL for the entire transaction.
> 

Yep. I do that. Plus I require that they log in agaist htaccess 
authentication.

>  - Have the user enter his/her old password, as well as the new password
> twice.
> 

So far, so good :) We're on the same page

>  - Write a program that takes the username, old password, and new
> password on stdin.  It should validate that the old password is correct,
> and then set the user's password to the new one.  I'd probably write the
> helper program in C, but Perl or Python isn't probably too bad as
> security risks if you're not comfortable with writing secure C programs.
> 
>  - Have your CGI take the username, old password, and two new
> passwords.  It should check that the two new passwords match, and then
> run your helper program above, passing the username and passwords over
> the helper's stdin.  If you wrote the helper program in C, you can make
> it setuid; otherwise, you should run it with sudo.
> 

So I guess my next post is to the perl group. I think all of the above is 
pretty doable. The only stumbling block that I see is passing errors from 
the sudo'd app back to the cgi app so that if their original password is 
typed incorrectly, it won't make the change.

thanks -c


-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.