Hi Curtis, Yes, I have considered as much as I can about this entire project. Firstly...
1 - Thepage is transfered over SSL. 2 - The user must login with a username and password. 3 - Apache can be set so it only allows users from within a private network to access the page. 4 - Can only change passwords for users with a GID of 45. 5 - Can only add users with a GID of 45 # Extra functions 6 - If user trys to delete a user with out a GID of 45 then an e-mail is sent to the administrator and their IP address Any thing else I am forgetting? Cheers, Dan -----Original Message----- From: Curtis Poe [mailto:[EMAIL PROTECTED]] Sent: Thursday, 13 December 2001 10:20 AM To: Daniel Falkenberg; zentara Cc: [EMAIL PROTECTED] Subject: RE: Can I use PERL to add/remove /etc/passwd entries --- Daniel Falkenberg <[EMAIL PROTECTED]> wrote: > Hey all, > > I have just finally finished a WWW based Perl program that can > add/delete and change users password from a WWW based script. I have > tried to make this script as secure as I can. The script can modify the > /etc/passwd files.... has any one seen a script like this before? > > Thx, > > Dan Um... I have some concerns about this. Allowing something Web-based to modify /etc/passwd seems to be begging for trouble. You *are* using shadow passwords, right? If your passwords are in /etc/passwd (I think they're encoded with an MD5 digest, but I'm not sure), then allowing someone a way to play with them is begging for trouble. How are you authenticating? Is this being run over SSL? Are you just using Basic authentication? Are you using none? This just screams "Danger Will Robinson, Danger" (which is rather odd, because my name is not "Will Robinson"). Cheers, Curtis "Ovid" Poe ===== Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
