2

I have written a php script to allow users to create accounts for mailing service.

shell_exec("sudo useradd -m ".escapeshellcmd($user_name)." -s /sbin/nologin"." -p ".crypt(escapeshellcmd($user_password),"abcd"));

Now I would like to allow users to change/delete their password/account. I tried using

shell_exec("sudo deluser --remove-all-files -f ".$username);

I have no idea how to implement password changing.

Unfortunately the commands doesn't seem to be working. How can I implement these?

Update: Piece of code to handle password change

case 'change':
  $username = $_POST['value'];
  $newpwd = $_POST['Pwd'];

  // Berry Langerak's code
  $out = shell_exec(
       sprintf(
         "echo '%s:%s' | chpasswd", 
          escapeshellarg($username), 
          escapeshellarg($newpwd)
        )
      );
echo(json_encode($username." password has been updated"));
break;
curious_coder
  • 2,392
  • 4
  • 25
  • 44

1 Answers1

3

Well, in Ubuntu, the command for changing the password of a regular user would be:

passwd $username

But then, the shell is interactive, which might be very annoying for a PHP script. There's a non-interactive alternative though:

echo '$username:$password' | sudo chpasswd

In your PHP script, you could do this:

<?php
$username = 'foo';
$password = 'foo';

$command = sprintf(
    "echo '%s:%s' | sudo chpasswd", 
    escapeshellarg($username), 
    escapeshellarg($password)
);

exec($command, $output, $return);

if ($return === 0) {
   // success.
}
else {
   var_dump($return, $output); // failure.
}

DISCLAIMER: when you're executing this line, do be aware that this command will be visible in .bash_history, and in the process list. You might want to encrypt the password before executing your shell command, and send the -e flag to chpasswd, to mitigate these risks.

EDIT: Forgot the echo statement, added it.

EDIT: Added some debugging to the script.

Berry Langerak
  • 18,561
  • 4
  • 45
  • 58
  • I tried it but unfortunately its not working. Anything I am missing out on? – curious_coder May 20 '14 at 06:24
  • @curious_coder Sorry, I forgot the echo statement, which means the shell tried to execute the string. I've added the echo statement and tested it. – Berry Langerak May 20 '14 at 06:46
  • I tried it but I am unable to get it to work. The password remains unchanged. I have added update to the question – curious_coder May 20 '14 at 07:02
  • Do we need to add sudo? – curious_coder May 20 '14 at 07:19
  • @curious_coder Ah, yes, you need to have permission to actually execute the statement. Using sudo should fix your issue. I'll add some debugging to the script, too. – Berry Langerak May 20 '14 at 08:48
  • Console output is `int(1) array(0) { }` – curious_coder May 20 '14 at 09:11
  • @curious_coder Well, something is definitely off, then. Could you try executing it on the shell directly, to see what happens? – Berry Langerak May 20 '14 at 12:03
  • I tried using ls command without any input and it worked. The code is working if I directly execute in the shell. – curious_coder May 20 '14 at 12:07
  • @curious_coder Could you try changing the command into `echo '%s:%s' | sudo chpasswd 2>&1` and see if you get an error message then? I'm pretty sure this has to be possible ;) – Berry Langerak May 23 '14 at 07:21
  • The output is `int(1)array(7) { [0]=> string(53) "sudo: no tty present and no askpass program specified" [1]=> string(17) "Sorry, try again." [2]=> string(53) "sudo: no tty present and no askpass program specified" [3]=> string(17) "Sorry, try again." [4]=> string(53) "sudo: no tty present and no askpass program specified" [5]=> string(17) "Sorry, try again." [6]=> string(35) "sudo: 3 incorrect password attempts"}` – curious_coder May 26 '14 at 06:37
  • @curious_coder Then you'll have to make sure your user can actually execute chpasswd with NOPASSWD. – Berry Langerak May 26 '14 at 07:32
  • Thanks I was able to rectify it. – curious_coder May 27 '14 at 07:02