PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

FDF Support in PHP
Introduction to PHP and Ajax
10 Tips That Every PHP Developer Should Know
In Case You Missed It...The Week of August 1, 2005
Faking It - Simulated Database Queries

[PHP-DEV] Re: [PHP3] does PAM lib PHP3 interface exist ? From: Steve Langasek (vorlon <email protected>)
Date: 01/14/00

Next message: kir <email protected>: "[PHP-DEV] Bug #3216: Wrong name of preprocessor directive"
Previous message: Stig Bakken: "Re: [PHP-DEV] Alternative image library"
In reply to: Chad Cunningham: "[PHP-DEV] Re: [PHP3] does PAM lib PHP3 interface exist ?"
Next in thread: Chad Cunningham: "[PHP-DEV] Re: [PHP3] does PAM lib PHP3 interface exist ?"
Reply: Chad Cunningham: "[PHP-DEV] Re: [PHP3] does PAM lib PHP3 interface exist ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 14 Jan 2000, Chad Cunningham wrote:

> > Which brings out another question: Is there a way with php to gain root
> > privileges (so that the passwords can be changed). PHP equivalent of
> > suidperl ?

> Yes, but you don't want to do that. Letting something accessiblve from
> the webserver do anything as root is bad. What I do, and *strongly*
> recommend, for users to change passwords is to use an expect script. The
> users logs into a secure server via standard .htaccess and enters their
> username, old password, new password, and confirms the new password. PHP
> does a bit of checking to make sure new passwords match, and that they
> are not trying to change the root password or something like that. Then
> these are passed to an expect script which su's to their user (NOT TO
> ROOT) and attempts to change the password. The only danger is that if
> someone were to get the htaccess password, they could hack away at a
> user password, but I'm thinking about logging attempts and giving like 3
> tries a day just in case.

At some point or another, something is going to be running as root on the
system in order for the user to be able to change their password. (Unless you
have a system that uses a network password db that doesn't require root
access, but that's not the common case.) And every additional layer you put
between the user and PAM necessarily restricts the system's flexibility. Yes,
you also gain some security by doing so, but no more security than with a
carefully constructed PHP script. There's nothing wrong in principle with an
suid php script. They could cause a lot of damage if written carelessly but
properly audited, this could be a very useful tool.

-Steve Langasek
postmodern programmer

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

Next message: kir <email protected>: "[PHP-DEV] Bug #3216: Wrong name of preprocessor directive"
Previous message: Stig Bakken: "Re: [PHP-DEV] Alternative image library"
In reply to: Chad Cunningham: "[PHP-DEV] Re: [PHP3] does PAM lib PHP3 interface exist ?"
Next in thread: Chad Cunningham: "[PHP-DEV] Re: [PHP3] does PAM lib PHP3 interface exist ?"
Reply: Chad Cunningham: "[PHP-DEV] Re: [PHP3] does PAM lib PHP3 interface exist ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]