Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I need to be able to change a linux password using CGI. I don't want to go through the /etc/passwd- find the user and replace the password with a new encrypted one. Can I be helped?

Replies are listed 'Best First'.
Re: Changing a linux password
by Cubes (Pilgrim) on Jul 25, 2001 at 02:05 UTC
    This came up on the CB the other day -- don't know if you're the same person, or the friend that guy was trying to help out, or someone else entirely, but I'll try to summarize the many good points that were brought up then.

    First of all, changing passwords through a CGI script opens up some potentially huge security holes. If you don't require an SSL connection, anyone on the network can sniff out the passwords. Your CGI script will have to run as root to modify the passwd/shadow files, which means that any bugs or vulnerabilities in your script could have severe consequences for the entire system.

    If you are determined to do this anyway, using established techniques and CPAN modules (such as Passwd::Linux) is probably much safer than trying to come up with your own solution.

    If you want to change a linux password, you have to go through the shadow file and change it, one way or another. Trying to force a perl script to communicate with the system's passwd command, which is meant to be run interactively, is just asking for trouble. A little effort on your part now to learn about how linux passwords work and how to use the perl tools that manipulate them will save you a lot of headaches later.

Re: Changing a linux password
by Cirollo (Friar) on Jul 25, 2001 at 01:49 UTC