Author Topic: Password changing using /etc/shadow files based system via pam  (Read 1016 times)

Offline TerryBarnaby

  • Newbie
  • *
  • Posts: 1
Password changing using /etc/shadow files based system via pam
« on: January 22, 2021, 12:55:15 PM »
I am using roundcubemail on a small private email server which has just a few users. For simplicity I have used the system's /etc/password, /etc/shadow for user names and passwords with logins disabled.
I tried to use the "pam" based system to allow roundcubemail to change a users password, but first the php-pecl-pam extension was broken for PHP7, I fixed that but then discovered that the pam access required the /etc/shadow file to be readable by the apache user which seemed a security issue.
The alternative chpasswd based system seems an even worse security issue.
So for my use I have created a simple system like chpasswd with a setuid /usr/sbin/bpassword program that functions in a similar way to chpasswd but requires the users current password as well as the new password in order to change their password and limits password changes to those with a userid greater or equal to 1000. I have then created a simple roundcubemail driver based on chpasswd.php for roundcubemail integration.
This seems to work well and I believe is a much better and more secure system that the pam and chpasswd systems where it is desired to use /etc/passwd and /etc/shadow. It obviously only allows a user to change their password where they know their previous password but having the ability to update your own password is important as far as I am concerned.
I am happy to provide this to roundcubemail users in some way if wanted. The bpassword.php driver is obviously easy to integrate into the roundcubemail package but I'm not sure about the  /usr/sbin/bpassword code which is a 'C' program. I have created RPM's for these for Fedora33 at the moment.
Any views on this ?