Posted by Colin McKinnon on 01/02/06 00:27

4site wrote:
>
> I'd like to write a short PHP script that will allow users to alter
> their virtual server password

WTF is a 'virtual server password'?

> via a secure web form. I had hoped that
> I might be able to call the shell passwd command from PHP, something
> like this:
>
> exec( "passwd -O $oldpassword -P $newpassword $username" );
>

OK, I guess you mean the Unix/Linux password, probably via PAM.

To change *any* password, you need to be root to have enough permission -
and you need to keep root well seperated from your web server. It is
possible - but honestly - I just would not go there. If you only want to
allow vaildated users to change their own passwords, then life's a lot
simpler and safer (but still - make sure you understand the implications).

Use proc_open to run su -c passwd $username@localhost (or ssh
user@localhost, followed by passwd).

Alternatively write your own porgam in C using the PAM libs and set it to
run setuid root (not recommended).

> but of course that doesn't seem to work.
>
> Is it possible to execute the passwd command silently, ie without the
> shell prompting (twice) for New Password?

No. There are variants - don't use them.

> Or should I be looking in
> another direction altogether - perhaps by editing the
> /usr/local/etc/passwd file instead, yes?
>

Not a good idea.

C.

[Back to original message]