[Tutor] passwords

[Remco Gerlich]

On  0, kirk Bailey <idiot1@netzero.net> wrote:
> OK, I want to be able to change paswords.
> 
> no kidding unix shell passwords. wencrypted in the database of all
> users in critter.
> 
> I want to do it with a form feeding to a script. accountname,
> oldpassword, oldpassword, newpassword.

There are many security problems with this that I can think of immediately
(see below). I don't believe this is the sort of thing you should want to
code, and it's quite probable that there is no existing Python library for
it.

> the data to be changed in a FreeBSD server is encrypted, in a colon
> delinieated database, normally modified with 'vipw'. 'vi' is a major
> editor with the capacity to access this file, decrypt it, edit the
> stuff, recrypt it, and save it. vipw is a shortcut that fires it up
> with all the path, filename, and special flags for this special task.

'vipw' actually does one important thing extra: it locks the file it is
working on. Nothing else will be able to change the passwd file while you
are editing it, as long as it obeys file locks. So you'd need to lock it
from the script as well.

I hope the passwords aren't stored in your /etc/passwd, but in /etc/shadow.
Otherwise, it's probably quite easy to crack them.

> I already know about the passwd command, it is interactive. IT talks
> back, I bet that could bark at the script real fine.
> 
> so far the only things in python dealing with paswords GET them from
> the user and compare them to the stored password for equality.
> 
> any advice?

This script would need to run with root permissions. Running any suid root
program from a web form is asking for trouble.

More specifically, running a *script* (text file with #! line) as suid root
is a known security issue, to do with the time lag between the kernel
reading the #! line, and Python reading the file. I don't know about
FreeBSD, but Linux doesn't even allow suid scripts because of that - you'd
need to write it in a compiled language that doesn't have this particular
problem.

Web forms send the info over the net as plain text. This can be sniffed too
easily.

You'd need specific protection against someone trying to brute force a
password by brute force sending forms with different passwords.

If your web server is cracked, the page with the form can be replaced by one
which sends the form info to somewhere else, so the cracker receives the
password info.

Even if this is not possible, someone could change browser settings at a
*user's* computer, so they get a page that looks like the change password
page but actually sends the info to the cracker (for instance by configuring
a proxy). This is usually very easy.

Form contents may be cached on the user's computer.



In short, I don't think it's a great idea. There is a reason why the passwd
command is strictly interactive. But if you are certain you can find a
solution for all these problems, especially those of sending the data in
encrypted form and using foolproof authentication, then surely you can code
the calls to change the shadow file by yourself :-)

-- 
Remco Gerlich