Resetting user passwords through php web page

sushantchawla2005 · 07-08-2009, 12:11 AM

Hi All Linux Experts

We are using LDAP for user authentication & I have set a policy that the password expires after 45 days.

But when the password expires users have to request me to set up & now the problem is all the users want a Web page through which they can change or reset their passwords.

I have discovered "expect" tool which can run in background for resetting LDAP passwords but I know very little about PHP so please help me to make a secure front end in PHP.

Thanks in Advance
Sushant Chawla
Linux Administrator

suhas! · 07-08-2009, 01:43 AM

Design a form that will submit the username value using get or post method.

Get that username and set the password using system() function in php.

Make sure the script doesnt set root password inadvertently. Also parse the username input so that no other system command is executed.

This would be enough to deploy in secured private network.....

sushantchawla2005 · 07-08-2009, 02:04 AM

Quote:

Originally Posted by suhas!

Design a form that will submit the username value using get or post method.

Get that username and set the password using system() function in php.

Make sure the script doesnt set root password inadvertently. Also parse the username input so that no other system command is executed.

This would be enough to deploy in secured private network.....

Hi Suhas

Firstly thanks for the reply. Please tell me how to use system function & currently i am issuing the command like this in action.php page
`sudo /changepasswd $username $password`

but it is saying you must have tty to set the password. The webserver user is apache & I have given apache user sudo access to run this script.

Secondly when I run this script manually from apache user sudo -u apache /changepasswd it is saying only root user can set the user password.

chrism01 · 07-09-2009, 12:57 AM

Quote:

sudo -u apache /changepasswd

that's telling it to run the cmd as apache, which is the very thing you don't want.
When you call sudo, it knows who you are calling it as ....

sushantchawla2005 · 07-09-2009, 02:02 AM

Quote:

Originally Posted by chrism01

that's telling it to run the cmd as apache, which is the very thing you don't want.
When you call sudo, it knows who you are calling it as ....

No I want the apache user to run this command & i have given it the permissions in sudo too. If the apache user can't run this command then how can we change password from web page?

apt-shawn · 07-09-2009, 03:46 PM

sushantchawla2005,

Have you ever looked at webmin?

http://www.webmin.com.

Shawn

sushantchawla2005 · 07-09-2009, 11:19 PM

Yes I am using webmin but I want that every body can reset his/her password but giving the access through webmin will disclose many other configurations of my servers to everybody.

Isn't it?

suhas! · 07-10-2009, 01:16 AM

Hi sushant,

instead of doing following thing in bash prompt --
sudo -u apache /changepasswd username password

Do this thing --

su -l apache -c sudo /changepasswd username password

That will actually test if apache user can sudo or not....

sushantchawla2005 · 07-10-2009, 03:13 AM

Suhas

Its running but giving the error
passwd: only root can specify a user name

I have given the following entry in sudoers

apache ALL=(ALL) NOPASSWD: ALL

Please helppp

suhas! · 07-10-2009, 08:22 AM

* Comment out following line in visudo

#Defaults requiretty

* Allow Apache user to execute command via sudo in visudo

apache ALL=(ALL) NOPASSWD: ALL

* Execute following command

[root@www ~]# su -l apache -s /bin/bash -c "sudo passwd suhas"
Changing password for user suhas.
New UNIX password:

Later you can tighten the security by allowing only passwd command to apache user
Regards,