从PHP脚本更改Linux用户密码
[英]Change Linux User password from PHP script
问题描述
I have a "simple" question: How can I securely change a user's password from within a PHP script, without granting Apache root privileges or introducing other crazy security holes? 
我有一个“简单”的问题:如何在不授予Apache根特权或引入其他疯狂安全漏洞的情况下,从PHP脚本中安全地更改用户密码?
Background: CentOS 6, Apache 2.2.13, PHP 5.3.3 背景:CentOS 6,Apache 2.2.13,PHP 5.3.3
I am aware of the pam_chpasswd() command, which is part of the PECL PAM library. 我知道pam_chpasswd()命令是PECL PAM库的一部分。 However, this function fails unless the host process (httpd) has read access to the /etc/shadow file. 但是,除非主机进程(httpd)具有对/ etc / shadow文件的读取访问权限,否则此功能将失败。 (BAD IDEA! Not sure how this library helps if it requires such high privileges...) (糟糕的主意!如果需要如此高的权限,不确定该库如何提供帮助...)
The ideal situation, as far as I can see, is to have PHP call a shell script with 'sudo -u[username of user changing his password]' This would run the script "AS" the user, so he should have permission to change his own password. 据我所知,理想的情况是让PHP用'sudo -u [用户更改密码的用户名]'调用shell脚本,这将对用户运行脚本“ AS”,因此他应具有以下权限:更改自己的密码。 And sudo would require that the user send along his existing password in order to be authenticated, thus preventing one user from changing another user's password. sudo要求用户发送其现有密码才能进行身份验证,从而阻止一个用户更改另一用户的密码。
But this doesn't work for some reason... when opening the process with popen, the process never executes. 但这由于某些原因而行不通...用popen打开进程时,该进程永远不会执行。 I have the shell script set up to dump some text into a publicly writable file in /tmp. 我设置了shell脚本,以将一些文本转储到/ tmp中的可公开写文件中。 But it never gets to that point. 但这永远到不了那点。
$cmd = "/usr/bin/sudo -S -u$username /file_to_execute.sh";
$handle = popen ($cmd, "w"); // Open the process for writing
fwrite ($handle, "$current_password\n"); // Send the user's current password to sudo (-S option)
fwrite .... (write the username, current password, and new password, so the script can change it)
$result = pclose($handle);
If I access this php script (http://server/script.php), the function immediately fails, and $result = 1 如果我访问此php脚本(http://server/script.php),该函数将立即失败,并且$ result = 1
If I modify the sudoers file (visudo) and add a line: 如果我修改sudoers文件(visudo)并添加一行:
$ Defaults:apache !requiretty $默认值:Apache!requiretty
The script freezes for about 10 seconds, then fails ($result = 1) 脚本冻结约10秒钟,然后失败($ result = 1)
Any suggestions for doing this are greatly appreciated! 任何建议这样做,不胜感激!
2 个解决方案
解决方案1
2 2012-07-24 16:34:33
To achieve the above with security in mind, I would suggest either the use of expect or adding the Apche user to a group who has write access to said file and only said file. 为了实现上述考虑到安全性,我建议要么使用expect或添加apche的用户的一组谁也说,文件的写访问,只说文件。
With expect, you will need to include your sudo password, as it will listen for the response from the OS of Password: , and when seen, it automatically replies with the sudo password. 期望,您将需要包括您的sudo密码,因为它将监听来自Password:的操作系统的响应,并且在看到时,它会自动以sudo密码进行回复。 This would allow you to team up shell_exec() and family with expect to achieve your results. 这将允许你组队shell_exec()和家人expect实现自己的结果。
I would go the second route for security, which would use a group permission to write to the file for a group which only has write access to that file. 为了安全起见,我将采用第二种方法,即使用仅具有对该文件的写访问权的组的组权限来向该文件写入文件。
Example: 例:
groupadd secure_apache
usermod -G secure_apache apache_user
chown owner:secure_apache /tmp/file_to_change
chmod 740 /tmp/file_to_change
解决方案2
0 2012-07-24 16:26:57
一种更安全的方法是将用户名和密码存储在特殊目录中的文件中,然后让cron完成工作(每分钟一次)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.