I've got a web app developed that is hosted on a BQ server. Right now,
how it authenticates is the user fills out a form (of course), and then
the web app initiates an ftp connection to itself using the user name
and password provided by the form.
Within the web app, each user has a 'profile' and various permissions
are granted based on the logged in username. It seems a natural place to
change their password would be on the 'edit my profile' page.
I had found some refernces to some PAM PHP functions regarding checking
and/or changing passwords. I had hoped that would work out for me. I
can't find the link right this second, but presumed others had dealt
with this before.
I had considered going with a sudo wrapper, but would prefer strongly to
not go that route.
Especially if it requires turning safe_mode off. I was not aware of that
nugget.
I knew of course that root can use 'passwd' to change any password
without being prompted for the current password. My belief (I've since
determined that was incorrect) was that any user could change any other
users password, but would be prompted for the current password first.
(No different than just logging in as the specified user and changing
it, if you have the current password anyway)
So maybe my question should be:
Has anyone messed with any PHP PAM modules/functions? What would be the
safest way to add them to the BQ box without risking conflicts with the
Nuonce packages? I have a number of them installed. If I recall
correctly, that includes the Nuonce PHP4 package.
Michael, Thank you for your prompt and well thought out response!
Michael Stauber wrote:
> Hi Matthew,
>
>> I'm looking for a way to change passwords via PHP. I want to avoid using
>> the admin web interface.
>
> Why? :o)
>
> The GUI does it in a fashion that's easy to use and secure.
>
>> I was initially thinking of an interface which would prompt the user for
>> the old password and new password, then open a shell to 'passwd
>> username'. However, only root can change another users password and
>> apache of course does not run as root.
>>
>> I figure that if it can be done both through the admhttp and OpenWebMail
>> (via perl) that there must be a way to do it through PHP. I've read some
>> about using some PAM PHP module or something to that effect. Anybody
>> tackle this yet?
>
> OpenWebmail uses Perl and either a SUID-wrapper, or SUID-Perl. Means: Either
> OpenWebmail itself or parts of it that need "root" access to perform such
> actions run as user "root", group "root". It's not a security hole by itself,
> but it sure is weak security by design.
>
> It's not wise to tear safety restrictions and security precaustions down to
> allow an application to do things that it shouldn't do. If you have to do it,
> you'll have to go great length to make sure that it won't bit you back in the
> long haul by taking every effort to prevent the weakness getting exploited.
>
> The way AdmServ and CCE work on BlueQuartz the web accessible PHP scripts of
> the GUI run as unprivileged user. If a user accesses the GUI, he has to be
> authenticated and based on the levels of access (user, siteAdmin,
> serverAdmin) he gets different levels of access.
>
> If an authorized user performs an action that requires "root" access to be
> executed on the system level, then CCE handlers (scripts designed to do only
> a specific task and nothing else) are run with "root" privileges by CCE to
> perform that task.
>
> As long as a few precautionary steps are taken, this is pretty secure and can
> hardly be exploited. Even if a user has unprivileged shell access to a
> BlueQuartz server, he'll have a pretty hard time to trick CCE into performing
> actions as "root".
>
> Having said all that I'm pointing out a way that you can do it, but I STRONGLY
> advise AGAINST doing it:
>
> You can use "sudo" to get PHP to execute commands as "root" on the server. But
> that will only work if "Safe_Mode" is turned off.
>
> So you'll not only have to willingly disable one serious security precaution,
> but two. That's really not a good idea.
>