Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!newsfeed.direct.ca!hunter.premier.net!news.mathworks.com!nntp.primenet.com!news.primenet.com!bkogawa From: bkogawa@primenet.com (Bryan Ogawa) Newsgroups: comp.lang.perl.misc,comp.unix.bsd.freebsd.misc Subject: Re: 'vipw' Style File Locking in Perl Date: 12 Aug 1996 12:17:02 -0700 Organization: Primenet Services for the Internet Lines: 46 Message-ID: <4unvve$hfo@nnrp1.news.primenet.com> References: <320DE5D9.3FF1@tassie.net.au> <4ul0i5$4a6@synge.maths.tcd.ie> X-Posted-By: bkogawa@206.165.5.102 (bkogawa) Xref: euryale.cc.adfa.oz.au comp.lang.perl.misc:36236 comp.unix.bsd.freebsd.misc:25373 dwmalone@maths.tcd.ie (David Malone) writes: >Brook Schofield <Brook@tassie.net.au> writes: >>I am trying to write a change password script in perl that is accessed >>though a Web Browser, using Apache and FreeBSD 2.0.5. >>I have tried using 'chpass' in FreeBSD but it doesn't seem accessable >>in Perl, unless I run as root. Not even SUID CGI's will work with this >>one. >>So I am wondering if anyone has a script out there that can implement >>file locking in the same way that 'vipw' does. >Try writing your script to accept the filename to edit, then do a > setenv EDITOR myscript.pl ; vipw Quite a nifty suggestion, and reasonably portable, to boot. FreeBSD uses flock() to do advisory locking of the file /etc/master.passwd . After the script builds a new, replacement version of the file, the program /usr/sbin/pwd_mkdb must be run on the replacement file to do an atomic replacement of the file and rebuilding of the system databases. In FreeBSD's case, there's already an Officially Sanctioned Perl Script That Modifies The Password File, that is, /usr/sbin/adduser . Read the source; take what's appropriate. When writing this script, remember the caveats about security and the like--one attack against a change-password web page would be for the would-be attacker to make a link on his home page which says something like "Click here to go to <company name's> password change web page"; instead, it goes to their own cheezy password change web page which records the keystrokes then passes on the information to your script to actually change the password. I'd suggest making the URL as memorable and hard-to-duplicate as posssible, and maybe looking into ways to keep the scripts from accepting random attempts from random URL's and hosts. >David. bryan -- bryan k. ogawa <bkogawa@primenet.com> <bkogawa@netvoyage.net> -- bryan k. ogawa <bkogawa@primenet.com> <bkogawa@netvoyage.net>