Menu
▾
▴
Re: More secure 'passwd' module?
|
From: Jamie C. <jca...@we...> - 2002-06-05 00:48:04
|
Scott MacKay wrote:
>
> Actually, found the problem.
>
> In save_passwd.cgi, the section
> if ($config{'passwd_cmd'}) {
>
> is missing something. After the
> @user || &error($text{'passwd_euser'});
>
> it should have the line
> &can_edit_passwd(\@user) ||
> &error($text{'passwd_ecannot'});
>
> This would be consistent with the else clause and the
> previous modules.
Absolutely correct .. there is now an update at
http://www.webmin.com/updates.html that fixes this as well.
> Also, if the original 'index.cgi' called
> can_edit_passwd, that would be a little more
> consistent.
Yeah, but if there are a lot of users calling can_edit_passwd
repeatedly would be very slow.
> For me, I added the following changes:
> 1) Only allow normal and expired passwords to be
> reset. (Expires is the password set to '*expired*' for
> me). This allows you to keep peeps form giving a
> password to a system account
> 2) Disallow password to be changed for UID <=100
> This was done (hopefully correctly) by doing the
> following in can_edit_passwd:
>
> if ($_[0]->[2]<=100 || $_[0]->[1] =~ 'NP' ||
>
> (($_[0]->[1]=~/^[*]+.*$/)&&($_[0]->[1]!~/\*expired\*/)))
> {
> return 0;
> }
There is already support for controlling access by
UID though. You can just enter 100 as the minimum, and
enter no maximum.
- Jamie
|