Topic: Helpful person with CGI scripts / Linux ?
started by: t|nt|n
I need to do this in order to give the users of the webpage for my project their own webspace.
If any of you would be good enough to enlighten me I would be very much obliged !!
Thanks
Be careful though, because this would require allowing an web user to create logins on your box...not exactly a wonderful idea with regards to security.
P.S. If I'm full of shit, please let me know
------------------
When everything is examined for what it really is, the only thing that I can truly claim as my own is the mistakes that I have made.
Security is not an issue in the project. It just has to work !!!
It will only be used once by a lecturer and then probably files away in the dark dungeon of the college
It is really wrecking my head as I can't use linux so I am trying to learn and do this project at the same time !
But you'd basically write a form that the prof could enter a username on then write something like (this is PHPese):
$command = "adduser $username -p $password -g [group]";
system($command);
$command = "mkdir /usr/local/apache/htdocs/$username";
system($command);
That's the basic idea anyway. You'll have to set up the group and group permissions ahead of time, of course.
edit: forgot second system call
------------------
When everything is examined for what it really is, the only thing that I can truly claim as my own is the mistakes that I have made.
This message has been edited by Beldurin on November 27, 2001 at 11:46 AM
This message has been edited by chmod on November 27, 2001 at 01:06 PM
If you have a script called "adduser.cgi", you'd run the following commands as root to make it SUID :
chown root adduser.cgi
chgrp root adduser.cgi
chmod 6755 adduser.cgi
Note that if you modify adduser.cgi in any way, the SUID bits will be disabled, and you'll have to run the chmod command again.
Beyond that, it depends on what language you use. Since you're pressed for time, go with what you know... at some point you'll have to use the Unix useradd command to create the user, so you'll want to pull up the man page for that and study it carefully.
I don't know about PHP, but Perl will automatically places any script running SUID in "taint mode," so read up on that if you're using Perl.
Your best bet may be to write a small C wrapper for useradd. Have it run SUID, and let the rest of your script run normally.
quote:
Originally posted by chmod:
I know security has already been mentioned... But there's a lot more vulnerability involved besides just giving the power of creating logins. In the future keep in mind that you should never use a system() call with a variable in the command, because someone could add a ; to the data followed by any command they wanted, and the shell would most likely execute it, possibly wreaking havoc... It's good practice to filter with regexps for that reason.
Good point. My dumb ass completely forgot to mention that. Just do a regexp check for a semicolon which shouldn't be in a username anyway.
------------------
When everything is examined for what it really is, the only thing that I can truly claim as my own is the mistakes that I have made.
[code]
if($variable =~ /;/
{die "NO SEMICOLONS EVER STFU PLZ KTHXBYE ";
}
[code]
Or it might be ~= and you might have to escape the first semicolon. Bleh, I really need to brush up on my Perl, I haven't coded in Perl for over a year, I'd estimate.