LinuxQuestions.org - php user admin

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - php user admin (https://www.linuxquestions.org/questions/programming-9/php-user-admin-375100/)

whysyn

10-20-2005 12:03 PM

php user admin

hello all!

i know this might have serious security implications, i will evaluate and address those later... right now i just want to brainstorm and get started...

i need a way to add/remove users and change passwords through a php script. (i would need to feed arguments to the script, and not have it run interactively). this needs to integrate into a web script, and be able to run as a non-root user, but still needs some sort of security.

hopefully, i can have a utility to allow a hosting customer to add/delete/modify their own email users within a certain set of constraints, for example, customer a has all of their user aaccounts prefixed with "ca-<user>" they would only supply the <user> part, and the script would automatically prepend the "ca-" so the customer would only be able to modify their own logins.

i hope this makes sense, and maybe somebody will have a suggestion to at least get me started...

thanks!

keefaz

10-20-2005 01:18 PM

You could always execute a setuid script (chmod +s) with php but be very carefull
- what could happen if the page reloads and the script get executed more than one time ?
- if the script allows user to change password, make sure they can't do it for the root user

Take care of the worst thing that could happen

whysyn

10-21-2005 10:52 AM

Thanks for the tips. I was planning on using sudo, with the entire path to the script in the sudoers file, and the file only set for read & execute.

I would have built in checking to see if the user exists, etc., as well as only allowing users starting with "ca-" to be added/removed/modified by the script.

Here is the part I'm stuck on, and hopfeully somebody can point me in the right direction:
The system command "passwd" needs to run interactively, so I can't call that from within the php and just feed it variables... how can I actually set/update passwords on the accounts from within a non-interactive php script?

Thanks again!

ralvez

10-21-2005 11:36 AM

I think that what you want to do is best achieved by creating a directory (say: admin) and setting the .htaccess file in that directory, and then placing the php script there.
This would do two things for you: 1) establish a secure access to the php file. 2) Allow you to run the script with whatever access you need to resources.
There is also the possibility ouf using an "access" file (typically set outside the webserver area (for security reasons) that grants access to using the php script if they are "in the file".

Hope this helps.

Rick

whysyn

10-21-2005 11:58 AM

Thanks!

Again, I'm fairly set on security... what I need to know is how to set passwords properlyeither through the php script or a system call. 'passwd' will not work, so I'm looking for a nudge in the right direction for the actual act of setting/updating a password.

All times are GMT -5. The time now is 08:21 AM.