Here's the link to Stein's user_manage program,
http://stein.cshl.org/~lstein/user_manage/
Perhaps you can get some pointers from that script, it has a web based and
terminal based Interface thing.
justin.
http://skazat.com
> The problem isn't setuid Perl it's that suid forces taintmode on. Read all
> available docs on taintmode.
>
> In particular start with Lincoln Stein's Web security FAQ at the
> www.w3c.org website... and re-read perldoc perlsec as you've stated you've
> done, but this time pay attention to the taintmode stuff.
>
> Lincoln Stein also has a good article on calling setuid stuff like changing
> passwords from a Web App in one of the past Perl Journal issues, but I
> can't recall which one at the moment. It was quite a good article though as
> it went through the pros and cons of several different ways of doing it.
>
> Later,
> Gunther
>
> At 05:14 PM 9/19/2001 -0400, Andria Thomas wrote:
>> Hi all --
>>
>> I'm trying to write a setuid script to change passwords on a machine via
>> the web. I am not trying to change the local passwords (i.e. *not*
>> modifying /etc/password), but I do need the script to be run as root so
>> it can call another password-changing utility which is doing the actual
>> work.
>>
>> When run from the command line as root, the script works fine. However,
>> when run as myself (after setting the script to be setuid root) I get
>> the following error generated from the script's system call:
>>
>> "Insecure dependency in system while running setuid at ./chpass_web.pl
>> line 159."
>>
>> Perl is installed on this system to use suid emulation, so it's calling
>> the 'suidperl' binary. The problem originates from the following line
>> of code:
>>
>> system "/bin/echo $new_password1 | /usr/local/sbin/saslpasswd -p
>> $in_username";
>>
>> The documentation I've seen implies that variables can't be passed
>> directly into the shell, as they are above, but I couldn't reword the
>> system call in any way that still enabled it to work.
>>
>> Can anyone help with this? Or lead me to any pointers on suidperl?
>> I've already read the perlsec manpage, and searched through the mailing
>> list archives...
>>
>> Thanks!
>> Andria
>>
>> --
>> ----------------------------------------------
>> Andria Thomas [EMAIL PROTECTED]
>> System Administrator -- Tovaris, Inc.
>> (434) 245-5309 x 105
>>
>>
>> --
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>
> __________________________________________________
> Gunther Birznieks ([EMAIL PROTECTED])
> eXtropia - The Open Web Technology Company
> http://www.eXtropia.com/
>
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
