Re: FN-FORUM creating user using exec in PHP

date posted 8th January 2003 17:07

On Wed, 8 Jan 2003, Nigell Boulton wrote:

> I am trying to create a user on my linux server using PHP. If i cut and paste the string from $command2 into a SSH shell, it creates the account. What kind of permissions should i run on this script.
>
>

useradd normally needs root privs to do it's work. Having CGI/PHP/etc
running as root is rarely a good idea though.

A better way of doing this would be to do something like:

groupadd -r webuseradd
; create a system group (-r) named webuseradd
chown root.webuseradd /etc/passwd
chown root.webuseradd /etc/shadow
chmod g+rw /etc/passwd
chmod g+rw /etc/shadow
; make /etc/shadow and /etc/passwd group writable and in the webuseradd
; group

then have your PHP script run as a user in the webuseradd group.

Also, if you're getting user or groupnames from the user, be sure that
you've removed all possible shell metacharacters from the strings you're
pasting into a useradd command - otherwise a malicious user could append a ;
or similar and have that exec command run other commands... the safest
approach is to only let [a-zA-Z0-9] through!

Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950