|
Posted by "M. Sokolewicz" on 09/03/05 20:49
the one you posted is created with crypt() (see crypt in the php manual)
Michelle Konzack wrote:
> Hi Rory,
>
> Am 2005-09-03 17:04:19, schrieb Rory Browne:
>
>
>>I'm not totally sure on the format of the passwords in /etc/shadow,
>>but can you do anything with php's md5 function? If not, then perhaps
>>the mcrypt extension may do something for you.
>
>
> Unfortunatly not, because
>
> echo -n "michellesecret" |md5sum
> or
> md5("michellesecret")
>
> produce: 28c2f05403caaa750df55efadeebd9ed
>
> but in /etc/shadow you find: $1$.NV7oLhO$Gj/ztvspUcpcJ5iUJiXNo0
>
>
> I do not find the right syntax and options to produce the later string.
>
>
>>First of all you inform your client that they are insane. Running
>>apache as root is completely unnecessary.
>
>
> Who tell you this?
>
> I have gotten this job because the original (external) maintainer
> of the systems is not more availlable. The systems are horrible!
>
> I need to reinstall from scratch.
>
>
>>to perform the above I'd use a combination of
>>suExec/suPHP/somethingLikeThat and sudo. I'd create a user called
>
>
> I have no experience with it...
>
>
>>webuserman (Web User Manager), or something like that, and have the
>>script run as webuserman. I'd change the useradd..... to sudo
>>useradd....., and mod the /etc/sudoers file to allow webuserman user
>>to call the useradd command as root(through sudo).
>
>
> OK, I wil check suExec and suPHP out.
>
>
>>If you are a lazy bastard, with very little concern for security(which
>>it seems you're not), you could simply run the script as www-data, and
>>have sudo allow www-data to do an adduser. I would oppose this
>>however, in that any php script would be able to use it.
>
>
> OK, this is what I have curently and it works fine but security...
>
> The users have there ~/public_html so they can addusers as they like.
> I think, its not so good.
>
>
>>Also make sure you escape your shell arguments.
>
>
> :-)
>
> Greetings
> Michelle
>
[Back to original message]
|