views:

16

answers:

1

I am writing some software in Ruby on Rails to do some simple user management for login to our server. I am working on a method for the User controller that will allow a user to change their password on the server (FTP / website login) password. I would like the administration of the server passwords to be done through the website, and to that end I have come up with the following algorithm.

- User logs into website, and indicates a change of password is desired using
  current login password, and enters new password (with confirmation)
- Rails user.rb model file has algorithm which establishes read/write with a 
  program tty (via 'PTY.spawn' and 'expect').  This happens as user www-data.
- First command issued to the PTY is `su <username>`, enter current system password. 
- Next, send `passwd`, wait for password prompt and pass current password.
- Wait for 'new password' and send desired password.
- again for confirmation of password.
- As long as none of the 'expect' statements fail (including 'password updated
  successfully'), salt and hash the password and store it in the database as normal.

I am reasonably confident that this is a secure method of maintaining sync with the system account passwords. But then again....I'm not a hacker or a security expert. This isn't a publicly open system, but there are a variety of users that will be accessing the system.

First question: Is there a smarter way of doing this? Via PAM maybe? I have used linux personally for years but my administration experience is limited. The server is running either Debian or Ubuntu Server, nginx and a few rails instances.

Second question: How do I work in a 'reset' password function into the system? This obviously requires root access and would look more like:

- Verify user by other means (email, administrator, whatev)
- su root or sudo -s (uhhhmmm....?!)
- passwd <username>
- set to generated value
- force user to change password @ next login

First glance, this seems less secure. Root access and such. But I can't figure out a way around it that doesn't involve some admin personally sudo passwd <username> each time the user forgets their password....moreover, I don't want my rails app to have root access to the system....it runs as a different user for a reason. So I guess that means I have to setup a root cron that runs a rake task to look for passwords that need to be reset....

I'm also doing other things in my user model, like disk space monitoring:

def update_disk_usage
  home_dir =~ /\A((\w|[._0-9-])*)(.*)\Z/
  #runs as www-data
  home_dir_size = `/usr/bin/du -cs /home/#{$1} | grep total | awk '{print $1}'`
  self.quota = home_dir_size.to_i
  self.quota_checked = Time.now
  self.quota
end
A: 

At the code sample at the end of the post you are escaping the input incorrectly. This is a very sensitive operation and malformed user input would be Remote Code Execution Vulnerability. You should be using the Escape.shell_command() function.

Rook