by Hello,
I am pondering the security issues of writing a remote-password changing
utility. The situation is this: we support a student computing facility
at a university. The student computing resources include a UN*X box
(Linux), and a Novell server. Passwords are not neccessarily synchronized
on both servers, although usernames are.
My question is this: if I write a utility to allow a user to change
his/her password on the UN*X account *FROM* their login session on
Novell, what is the safest implementation for such an app? I plan to
do authentication on the local login session, then allow a password
change on the corresponding UNIX account via a direct write to the
/etc/passwd file.
Is this incredibly stupid, or can it be done safely? Other thoughts:
- SUID?
- only allow (invisible) syncronization from the Novell bindery p/w object
to the UNIX /etc/passwd file (ie. User invokes an automatic process, with
no opportunity for input)?
- existing apps to do this?
- use RPC's?
Any thoughts welcomed.
Steve
--
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Richard Ivey School of Business Office: Rm 55A WBS
University of Western Ontario Phone : (519) 661-2111 x 5134