PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Beginning PHP: One Goal at a Time
Moving Logic Into the Database
In Case You Missed It... The Week of June 6th, 2005
In Case You Missed It...The Week of October 17th, 2005
In Case You Missed It...The Week of June 4th, 2006

Re: [PHP-DEV] Un*x Security Experts From: Rasmus Lerdorf (rasmus <email protected>)
Date: 10/30/99

Next message: Rasmus Lerdorf: "Re: [PHP-DEV] Re: [PHP4BETA] cvs: /php4/ext/imap imap.c"
Previous message: Richard Lynch: "[PHP-DEV] Un*x Security Experts"
In reply to: Richard Lynch: "[PHP-DEV] Un*x Security Experts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> [Apologies for the non-cross cross-post. I figured it was better than
> missing any experts on php-dev who has decamped from php@, and at least any
> over-zealous followups from php@ won't hit here.]
>
> It would seem that configuring a web-server and password changing is a hot
> topic on the php <email protected> list.
>
> Alas, there is a dearth of clear, hard info on how to do this *AS* *SECURE*
> *AS*, say, a user logging in via SSH, and typing passwd to change their
> password. (Which is pretty secure, AFAIK.)
>
> Is this because it can't be done?... Or because you're all too busy?...
>
> If you could 'splain in technical terms to me offline, I'm willing to try
> to translate it into "newbie" and add it to the FAQ.

There are a number of security issues here.

1. Password going over the Net in cleartext
2. Password being passed from PHP to something that can actually change it
3. The something that can change the password needing root access to do so

The only way to solve 1 is to use SSL.

If we are talking about changing a system user's password, then 2 and 3
cannot be solved nicely and shouldn't be done anyway. At least not on any
sort of shared server.

If we are talking about changing a password for a .htaccess style auth
system, then PHP should be used to edit whatever database is storing the
passwords directly. Preferably by running a separate httpd as a different
user id dedicated to administrative tasks like this. That way other
people on the server that might have the ability to write PHP scripts will
not be able to write something to mess with the password
database. Alternatively safe-mode can be used server-wide but turned off
for the password-changing script.

-Rasmus

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

Next message: Rasmus Lerdorf: "Re: [PHP-DEV] Re: [PHP4BETA] cvs: /php4/ext/imap imap.c"
Previous message: Richard Lynch: "[PHP-DEV] Un*x Security Experts"
In reply to: Richard Lynch: "[PHP-DEV] Un*x Security Experts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]