lubkt@vax1.cc.lehigh.edu (11/17/90)
Is it possible to write a sh or csh script that will permit password change. Basically I want to do: myshscript oldpasswd newpasswd /B. -------------------- Binod Taterway LUBKT@vax1.CC.Lehigh.EDU User Consultant bt00@PL118a.CC.Lehigh.EDU Lehigh University, Beth, PA. (215) 758-3984.
fitz@mml0.meche.rpi.edu (Brian Fitzgerald) (11/18/90)
>password change. Basically I want to do: > myshscript oldpasswd newpasswd IMHO, you might want to reconsider this idea for (at least) two reasons. 1. While your shell script is running, anyone else can see your entire command line, including the plaintext oldpasswd and newpasswd, simply by typing ps -a. 2. Since the /etc/passwd file is owned by root and not writable by users, your shell script would have to be executable by everybody but able to run with the privileges of root, or "suid root". In essence, you want a "suid root shell script". Just yesterday in this newsgroup Tom Christiansen reposted a detailed, technical explanation of the security problems associated with doing this, and the difficulty (or impossibility) of writing a secure suid root shell script. If after reading this you now agree with (1) no plaintext passwords on the command line, and (2) no suid root shell scripts you might as well stick with good old /bin/passwd (an suid root binary executable), or some public domain replacement, such as npasswd (anon ftp emx.utexas.edu in /pub/npasswd). Brian Fitzgerald
rudolf@curano.acadch.com (Rudolf Kuenzli) (11/30/90)
In article <70.2743fe39@vax1.cc.lehigh.edu> lubkt@vax1.cc.lehigh.edu writes: >Is it possible to write a sh or csh script that will permit >password change. Basically I want to do: > myshscript oldpasswd newpasswd > I didn't investigate anuyway. But it could have a nice drawback: If your history file stuff is on, this command line with the old and the new password would be stored in the history file. Not very recommended. -- Rudolf the Magician In real life: Rudolf Kuenzli uucp: ...uunet!autodesk!adeskch!rudolf Internet: rudolf@curano.acadch.com ...chx400!adeskch!rudolf rudolf@adeskch.uu.ch
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (11/30/90)
In article <~0_^-Z^@rpi.edu> fitz@mml0.meche.rpi.edu (Brian Fitzgerald) writes: > >password change. Basically I want to do: > > myshscript oldpasswd newpasswd > IMHO, you might want to reconsider this idea for (at least) two reasons. Yes, it's a bad idea, but the technical question still stands. Quick 'n' easy, but a kludge: #!/bin/sh (sleep 5; echo $1; sleep 5; echo $2; sleep 5; echo $2) | pty passwd Properly synchronized, using named pipes: #!/bin/sh /etc/mknod out.$$ p;exec 2>&1 ( exec 4<out.$$; rm -f out.$$ <&4 waitfor 'word: ' echo $1 <&4 waitfor 'word: ' echo $2 <&4 waitfor '(again): ' echo $2 ) | pty passwd > out.$$ Here waitfor is that same text search utility as last time: extern char *malloc(); main(argc,argv) int argc; char *argv[]; { int len; char *s; int pos; char ch; int f; int p; if (!argv[1]) exit(1); len = strlen(argv[1]); if (!(s = malloc(len))) exit(2); pos = 0; f = 0; while (read(0,&ch,1) == 1) { if (write(2,&ch,1) != 1) exit(3); if (ch) { s[pos] = ch; pos++; if (pos == len) { f = 1; pos = 0; } if (f && (ch == argv[1][len - 1])) { for (p = 1; s[(pos + p) % len] == argv[1][p];p++) ; if (!argv[1][p]) exit(0); } } } exit(4); } ---Dan