Personally, running a script directly from a website to add users is asking
for security trouble.. I would have it write a "adduser" request to a file
and then have a cron job parse that file everyt 5, 10 or 30 minutes or
something looking for new users to add. This gets you around the SUID
problem and also allows you to do some more sanity checks, etc... on the user
being added.
Of course your script is checking to make sure that a webuser isn't submitting
root, admin, nobody or any of the "system" names as a user, correct?
On Tuesday 17 September 2002 19:55, tim tom wrote:
> php4.2.3 apache mod
> linux rh7.2
> -------------------
>
> I am trying to add unix system account user via a simple php and shell
> script <?
> system("/usr/bin/add.sh timtom752002 timtom752002 /home/timtom752002",$r)
> or die (" $r user creation fail");
>
> print "success";
> ?>
>
> when i ran add.php on my browser, i get
> 254 user creation fail
>
> I created my add.sh file in /usr/bin and I have setuid it:
> -rwsr-xr-x 1 root devel 216 Sep 18 08:54 add.sh
>
> It looks like:
> #!/bin/sh
>
> username=$1
> password=$2
> homedir=$3
> # create user
> /usr/sbin/useradd -m -d $homedir $username
>
>
> # change the password
> (
> echo $password
> sleep 1
> echo $password
> sleep 1
> echo $password
> )|passwd $username
>
> When I ran the add.sh from the command line, it works ok:
> $ /usr/bin/add.sh nnnnn nnnnn /home/nnnnn
> Changing password for user nnnnn
> passwd: all authentication tokens updated successfully
> (i tried login in with uid=nnnnn and passwd=nnnnn and it was ok)
>
> What's wrong with those scripts. It DOESN'T even create the user
> timtom752002. Please help
--
Henrik Hudson
[EMAIL PROTECTED]
Note: Beware of Dragons - Thou art crunchy and taste good with ketchup.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
