Skip to main content

Ralsina.Me — Roberto Alsina's website

A good web-based password changer?

Does such a thing ex­ist? There are dozen­s, but none seems very good.

By good I mean:

  • Has been main­­tained more re­­cen­t­­ly than 4 years ago.

  • Works via PAM (and just plain work­s)

  • Is not aw­­ful to in­­stall

  • Does­n't make you do weird stuff like run­n­ing a SUID httpd (yes, I ac­­tu­al­­ly saw that on­ce)

  • se­cure (au­dit­ed?)

  • read­­able sources

  • runs as a non-priv­i­leged us­er.

Usu­al­ly this would be a SUID root cgi-bin, which is some­what scary, and it would seem to me un­nec­es­sary.

Since the us­er will pro­vide the cur­rent pass­word, it should be pos­si­ble for a non-priv­i­leged process to first switch to the de­sired us­er and then change the pass­word, right?

Maybe some­one can tell me. Or do I have to write it? I mean, it's go­ing to be a python CGI if I do, and noone's gonna like it ;-)

Jon / 2006-04-03 11:32:

I believe Horde (horde.org) have a module that does password changing - it's done using an expect script calling passwd, so you don't need to worry about letting your web server have access /etc/passwd either.



It also covers things like .forwards and vacation messages.

Roberto Alsina / 2006-04-03 11:33:

Yes, it does. So does squirrelmail and a few other webmail packages.



However, installing HORDE to change passwords is not really what I would call simple ;-)



I'm looking more for a one-file thing, rather than a multimegabyte application server framework.