[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't do setuid

On Fri, 2002-12-13 at 16:54, Charles Menzes wrote:
> So far, so good :) We're on the same page


> >  - Write a program that takes the username, old password, and new
> > password on stdin.  It should validate that the old password is correct,
> > and then set the user's password to the new one.  I'd probably write the
> > helper program in C, but Perl or Python isn't probably too bad as
> > security risks if you're not comfortable with writing secure C programs.
> > 
> >  - Have your CGI take the username, old password, and two new
> > passwords.  It should check that the two new passwords match, and then
> > run your helper program above, passing the username and passwords over
> > the helper's stdin.  If you wrote the helper program in C, you can make
> > it setuid; otherwise, you should run it with sudo.
> > 
> So I guess my next post is to the perl group. I think all of the above is 
> pretty doable. The only stumbling block that I see is passing errors from 
> the sudo'd app back to the cgi app so that if their original password is 
> typed incorrectly, it won't make the change.

Sudo execs the command you give it, so the return value is that of the
program you're running.  As long as the program it runs returns sane
error values, you shouldn't have any problem telling what happened.

To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.