dsartain Posted February 6, 2007 Share Posted February 6, 2007 hey guys, I'm working on a php registration page that will update a DB with a users info...that part is easy what is annoying is that the password they provide will also be used to access FTP. Which means that I have to get php to modify the /etc/passwd file....or run system(passwd user)...any ideas on how to go about this?? Quote Link to comment Share on other sites More sharing options...
the_oliver Posted February 9, 2007 Share Posted February 9, 2007 Spent a while looking into this.... For security it is odviously a bad idea to have your standard web user alter anything 'system critical'. And edditing the /passwd file direct would definatly not be a good idea! I have done it through the use of cron. I have a root cron job (solves the privilages problem) which runs a php script as root. This script looks for value in a database and used it to change the password. This be it does using the shell_exec() function. Importantly for secutity, the part in the database in only a little bit of the comand run inside the shell_exec(). The rest is generic say: $value = "passwd ".$oh; shell_exex($value); this meens that someone gets access to the database, they cannot insert direct comands for the server to run as root. The biggest problem with the method shown above is that the server will ask for the password value twice, which this function cannot cope with. This can be solved by sending an incripted password to the useradd linux comand. This however requires something like a c scrip. Long story short there is know easy way to do this. Hope this helps.. Shout if i have explaind it in to much of a jumble! Quote Link to comment Share on other sites More sharing options...
dsartain Posted February 9, 2007 Author Share Posted February 9, 2007 Yeah, I came to the same conclusion...figured it was too much hassle to mess with right now... Quote Link to comment Share on other sites More sharing options...
the_oliver Posted February 9, 2007 Share Posted February 9, 2007 There are ftp programs which have there access list controled from a flat file? This could be easly writen to using php? (sorry, the thought came to me a little late!) Cant think of one off the top of my head. If i do ill post it! Quote Link to comment Share on other sites More sharing options...
dsartain Posted February 9, 2007 Author Share Posted February 9, 2007 Nah, don't worry about it...if I really need to edit both the passwd file and the DB then I'll just find a way to make VSFTPD check against a DB instead of using pam Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.