Solved

Using chpasswd in php scritp

Posted on 2004-08-26
13
1,573 Views
Last Modified: 2012-06-21
Hi experts..

I wrote a php script that runs chpasswd command  on my linux server. The problem is when i run the script via http, the error_log shows this:

[Thu Aug 26 08:42:35 2004] [error] [client 63.245.101.12] (13)Permission denied: file permissions deny server access: /home/web/chpass.html

I know i have to use sudo to let this work, but i don't know how to do this.

Can somebody explain me how?..

I'm using two files: chpass.html that contains a form with user and password, and chpass.php that executes chpasswd command.

Thanks.
0
Comment
Question by:rbraym
  • 6
  • 5
13 Comments
 
LVL 48

Expert Comment

by:hernst42
ID: 11904749
does the the user that runs the webserver has access to that file ??
what is the output of
ls -la  /home/web/chpass.html

try a
chmod +r  /home/web/chpass.html
0
 

Author Comment

by:rbraym
ID: 11904832
Sorry.. tha was before i set the correct permissions.

The error is :

chpasswd: can't lock password file.

0
 
LVL 48

Expert Comment

by:hernst42
ID: 11905798
chpasswd is only supposed to be run only as root
-rwxr-xr-x    1 root     root        23000 2002-09-10 21:13 /usr/sbin/chpasswd
-rwsr-xr-x    1 root     shadow      68680 2002-09-10 21:13 /usr/bin/passwd

and has no s-bit set. So only root can change the passwd via chpasswd.
call sudo chpasswd
edit in /etc/sudoers:
wwwrun  ALL=(ALL) NOPASSWD: /usr/sbin/chpasswd
so wwwrun is allowed to call chpasswd vi sudo and is not asked for a password
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:rbraym
ID: 11906968
sorry but i'm a little confused....

If i want my script runs properly and execute chpasswd, what should i do???.

Remeber that users browse chpass.html which calls chpasswd.php.

Thanks
0
 
LVL 48

Expert Comment

by:hernst42
ID: 11907202
how do you call chpasswd in your php-script ??
instead of executing chpasswd do sudo chpasswd

chpasswd does not check for an old password, just sets the password for the given user and the choosen password
0
 

Author Comment

by:rbraym
ID: 11907252
chpass.php:

<?php
//get the variables
$name = $_GET["user"];
$pass = $_GET["newpass"];

//create a file with those
$file = @fopen("pass.dat","w");
fputs($file,$name.":".$pass);

//Launch the command:
shell_exec('cat pass.dat | chpasswd');
echo "<b>DONE!!<b>";
0
 
LVL 48

Expert Comment

by:hernst42
ID: 11907357
replace the
//Launch the command:
shell_exec('cat pass.dat | chpasswd');

with
//Launch the command:
shell_exec('cat pass.dat | sudo chpasswd');

(after you have modified the /etc/sudoers file with the line first posted. Where do you do the check that the user is allowed to change the password for that account, else you system may be compromised very soon.
0
 

Author Comment

by:rbraym
ID: 11907423
now i get these message in error_log:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
0
 
LVL 48

Expert Comment

by:hernst42
ID: 11907527
use the absolute path to chpasswd in shell_exec then you sould not need to type the password. I assumed that the PHP-script is executed as user wwwrun

shell_exec('cat pass.dat | sudo /usr/sbin/chpasswd');
0
 

Author Comment

by:rbraym
ID: 11907609
nope..i'm still getting same error:

Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt

the chpass.php script run as user ancar:

3424374 -rwxrwxrwx    1 ancar    apache        265 Aug 26 16:03 /home/web/chpass.php

what can it be?
0
 
LVL 48

Accepted Solution

by:
hernst42 earned 50 total points
ID: 11907845
The the /etc/sudoes must contain the line

ancar  ALL=(ALL) NOPASSWD: /usr/sbin/chpasswd

or look at the log, the sudo call is logged there an so you should be able to get the user name and put that username into the /etc/sudoers
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question