Web-Password Version 0.2(s)

Web Password Version 0.2(2s)

IMPORTANT NOTE:

I have had a number of queries that the program complains about a lock file. These problems have always been because a) The lockfile already exists (/etc/pwd.lock), or b) the permissions are not set to run the script as root (chmod 6755 newpasswd).

In version 0.22 (and possibly others), a constant EEXIST is used. Some compilers dont like this. If this is the case, try replacing EEXIST with 17, or #define EEXIST 17 at the top of the file

Description

Web Password is a simple Web Program to allow users to change there passwords. It gets around the dangerous practice of creating scripts which call "passwd" with the users name and password as parameters. It is also easier to use.

Version 2 implements basic locking and fixes a possible security hole. Locking support added by Pete Siddall

Version 2s Is a modified version of Version 2 which supports BASIC shadow file support (- it does not specify a minimum or maximum time between changes of password). Thanks to Tim Thomson Thanks also to obelix@vetorialnet.com.br for the fix with a bug in shadow password support.

Notes on this version - 0.2(s) :

This program is available from ftp://ftp.win.co.nz/web-pwd

The program was compiled for use with systems that DO NOT use shadowed passwords. Modifying the source to support shadowed paswords is quite trivial. PAM is not supported, and unless someone jumps in and does it for me, It will be a very long time before it gets added.

This program could contain security holes. The Authors accept no liability for any problems with the program, including but not limited to :

Undesired Operation
Crashing of System
Introduction of security holes.

This program exists as BETA software. It has been used by my small Internet company for some months now. There were some problems reported by larger sites, complaining of garbled password files, but it is believed that the problem has been solved, thanks to locking support added by Pete Siddall

It has been tested under Linux kernels 2.0.27, 2.0.17, 2.0.30 and 2.0.32 I strongly suspect the program is to simple to fail on any system that uses the Linux format for passwords, although this is unproven.

If there are any security holes or bugs that you can identify (and preferably fix), let me know.

This program is intended to be eMail-ware. If you find a use for it, e-Mail me. Make any modifications you wish, just don't pass them off as my work. (Credit for what is mine would be nice though)

To Install :

gcc -o newpasswd changepwd.c pwdcmp.c util.c lockp.c (This step is optional, as the source code has already been compiled for Linux)
Customize the pwd.html file (This may include changing the CGI directory). The defaults should work in most cases.
copy newpasswd -> cgi-bin directory
Copy the pwd.html file to an appropriate place in the WWW tree.
Check the Permissions -
```
	chmod 644 pwd.html     : -rw-r--r-- (Owned by root)
	chmod 6755 newpasswd : -rwsr-sr-x (Owned by root)
	
```
IF YOU GET AN ERROR MESSAGE ABOUT NOT BEING ABLE TO LOCK A FILE, CHANGE YOUR PERMISSIONS ON newpasswd
Make a backup copy of /etc/passwd, and make sure you have a bootable disk (just in case.)

WARNING :
Version 0.1 of the program did not have any locking. This has been modified in version 0.2. It is Strongly recomended that you upgrade. There are no changes to the config of the web page, simply copy the new newpasswd program over the old one, and reset the permissions.

Good Luck.
David Gottschalk davidgo@win.co.nz