Using shell_exec('passwd') to change a user's password

Question

I need to be able to change the users' password through a web page (in a controlled environment). So, for that, I'm using this code:

<?php
$output = shell_exec("sudo -u dummy passwd testUser testUserPassword");
$output2 = shell_exec("dummyPassword");
echo $output;
echo $output2;
echo "done";
?>

My problem is that this script is not changing the password for the user "testUser". What am I doing wrong?

Thanks

Other than the shell access method being wrong, like all the answers try to resolve, the passwd command is wrong. At least in my book you cannot just write the new password like that on the commandline. — Robin Manoli, Mar 04 '13 at 10:51

score 3 · Answer 1 · answered Sep 24 '08 at 14:42

3

Another option is to have a shell script, say called passwd_change.sh somewhere that looks like this:

#!/usr/bin/expect -f
set username [lindex $argv 0]
set password [lindex $argv 1]

spawn passwd $username
expect "(current) UNIX password: " 
send "$password\r"
expect "Enter new UNIX password: "
send "$password\r"
expect "Retype new UNIX password: "
send "$password\r"
expect eof

Then in your php code do:

<?php
shell_exec("sudo -u root /path/to/passwd_change.sh testUser testUserPass");
?>

answered Sep 24 '08 at 14:42

bmdhacks

15,841
8
34
55

According to your current code, wouldn't the script try to send their new password as their current password? This wouldn't make sense unless the user was setting their new password to be the same as their old password... – Jake Wilson Oct 17 '11 at 15:32
Also, this script fails because when calling `passwd` using `root`, it doesn't ask the `root` user for the user's current password. – Jake Wilson Oct 17 '11 at 15:34
This method works nonetheless, despite the code being wrong. Ubuntu at least will not accept the old password to the new, a change which makes no sense anyway. Alter the script a bit and it works. – Robin Manoli Mar 04 '13 at 10:48

score 2 · Answer 2 · answered Sep 24 '08 at 14:24

I'm not familiar enough with PHP to tell you how to fix it, but your problem is that the two shell_exec commands are entirely separate. It appears as though you're trying to use the second command to pipe input to the first one, but that's not possible. The first command shouldn't return until after that process has executed, when you run the second one it will attempt to run the program dummyPassword, which we can probably expect to fail.

score 2 · Answer 3 · edited Aug 03 '11 at 14:33

2

Use proc_open, which will let you interact with the process's stdin.

See this comment in particular at the manual: http://www.php.net/manual/en/function.proc-open.php#58044

edited Aug 03 '11 at 14:33

answered Sep 24 '08 at 14:35

Jonathan Arkell

10,526
2
24
32

score 2 · Answer 4 · edited Jan 20 '16 at 07:05

The first response is correct. You probably want to use popen() or some other function that will return a pipe, which you can write to just like a file opened with fopen() or file().

<?php
$pipe = popen("sudo -u dummy passwd testUser testUserPassword", 'r');
fwrite($pipe, "dummyPasswd\r\n");
pclose($pipe);
echo "done";
?>

I haven't tested that, but it's the general idea of what you seem to be going for. You'll notice that this setup doesn't provide for the output from the commands you executed. For that, you'll need to use proc_open() which is a little harder to work with but does provide bi-directional support.

I didn't get this method to work at all. Even if the mode of popen should be 'w', and the passwd command written correctly. — Robin Manoli, Mar 04 '13 at 10:49

score 2 · Answer 5 · answered Sep 24 '08 at 14:52

2

Use chpasswd:

$tmpfname = tempnam('/tmp/', 'chpasswd');
$handle = fopen($tmpfname, "w");
fwrite($handle, "$username:".crypt($password)."\n");
fclose($handle);
shell_exec("sudo sh -c \"chpasswd -e < $tmpfname\"");

Beware! If somebody will get control on $username then he can change any password on a system.

answered Sep 24 '08 at 14:52

Tometzky

22,573
5
59
73

It really looked nice your solution, but my unix system does not have the "chpasswd" command. Thank you anyway – RSilva Sep 24 '08 at 15:48

score 0 · Answer 6 · answered Sep 20 '12 at 23:13

0

I prefer using 2 separate processes: http://sylnsr.blogspot.com/2012/09/keep-unix-password-in-sync-with.html

answered Sep 20 '12 at 23:13

Michael M

8,185
2
35
51

score 0 · Answer 7 · answered Sep 25 '08 at 09:49

You should use the crypt() function to encrypt the password. Then you can call the usermod program like this usermod --password username encryptedpassword.

The most common way to encrypt a UNIX login password is like this:

crypt('password', '$1$salt1234$')

(Where salt1234 is an eight letter salt)

score 0 · Answer 8 · answered Dec 20 '08 at 19:36

An easy I know and which works (at least for Debian 4.0r5) is:

#!/bin/bash

USER="root"
NEWPASS="bullsheit123"

echo $USER:$NEWPASS | chpasswd
echo $?

Just adapt this to the php script and it should work fine.

score 0 · Answer 9 · answered Aug 03 '11 at 13:16

0

I it is way too late but this is for people still searching answer. This is what we use. Extremely simple.

    file_put_contents("passd", "$pass\n$pass\n");
    echo "$uname: $pass\n";
    `passwd $uname --stdin < passd`;
    `rm -rf passd`;

answered Aug 03 '11 at 13:16

Cem Kalyoncu

14,120
4
40
62

Using shell_exec('passwd') to change a user's password

9 Answers9

Linked