Subject: RE: Changing user passwd thru a program
To: 'netbsd-users@netbsd.org' <netbsd-users@netbsd.org>
From: Sumeet Malhotra <smalhotra@rhapsodynetworks.com>
List: netbsd-users
Date: 04/17/2002 10:59:48
Thanks Steve,

I ran the program as root and it passes that point now! But was wondering
how does the passwd program change its effective uid to 0. setuid (or
seteuid) to 0 can only be done if you are a super user. Am I right?

Sumeet

-----Original Message-----
From: Steven M. Bellovin [mailto:smb@research.att.com]
Sent: Wednesday, April 17, 2002 10:30 AM
To: Sumeet Malhotra
Cc: 'netbsd-users@netbsd.org'
Subject: Re: Changing user passwd thru a program 


In message
<45BEF1D68145D51186C100B0D0AABE659FEB1D@med.corp.rhapsodynetworks.co
m>, Sumeet Malhotra writes:
>Hi all,
>
>I'm trying to write an API to provide user passwd change facility. It
should
>work exactly the same way a normal "passwd" program works, except that it
>takes the 3 arguments - username, oldpass and newpass as function args.
>
>I modelled the program exactly on the lines of the NetBSD passwd source
>code, but the program fails when trying to compare the oldpass with the
>existing one in the /etc/passwd file. The code to compare the oldpass with
>existing one is :
>
>if (strcmp(crypt(oldpw, pw->pw_passwd), pw->pw_passwd) != 0)
>        return ACCESS_DENIED;
>
>Here pw->pw_passwd is the password entry from /etc/passwd file.
>
>The /etc/passwd file uses "*" as the passwd entries which means that the
>passwords are to be looked up somewhere else (possibly master.passwd
file?).
>The string compare tries to compare the encrypted password with "*" and
>fails.
>

See getpwent(3) -- unless you're running as root, you get the '*'.  If 
you are running as root, you get the real hashed password.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at
http://www.wilyhacker.com