security problem

nimrodc · 09-11-2002, 04:22 AM

hi
how can i run "adduser" from html page...
i have redhat 7.3 .. and the site is on the apache server
i'm useing php for server side script .. the function is
"passthru ('adduser test');" it's work ok from the php interupter
the error is "can't lock passwrord file" ..
i'm using .htaccess file for basic authentication..
but the problem is that the authenticat user is not a system user
it only have rights in the site folder and the apache is runing on the apache user ....
how can i overtake this problem....

dannys · 09-11-2002, 10:44 AM

Apache is running as an unpriveliged user - it doesn't have the authority to add users.

You might try altering the permisssions on the passwd file so that the user apache is running as will have permission but this is obviously more than a little insecure.

overlordhu · 09-18-2002, 08:46 AM

Hi,

Not too much of security, but I think I can solve your problem. Have you ever heard of the SUDO package ? That can be configured to give permissions on executing commands as root.
Note that, this can be a security hole on your system.

Best,

Paul

nashirak · 09-18-2002, 10:17 AM

I think the traditional method is running root sensitive unix commands from a cron script. Have the cron script read from a file or something (this contains usernames). Then read the file and create users off of that. This method is an indirect way to get "root" privelges. Do not give you web users this priveleges.

Hope this helps!

Frag · 09-19-2002, 10:55 AM

I whole heartly agree with nashirak. To allow someone to create a user from a webpage is just asking for trouble. To have that ability is just plain crazy. You really need to add a notification to it if your going to do such. (even if your the only one that uses it) That way if someone else gets ahold of it you will still be notified of an account that was created.

Don't plague yourself like Microsoft did.

"Our products aren't engineered for security" -- Brian Valentine, senior vice-president in charge of Microsoft's Windows development

http://www.cw360.com/bin/bladerunner...9&CARTI=115571

Frag

dotwebbie · 09-19-2002, 11:52 AM

lol! I haven't heard that one before.

At any rate, I might as well agree with what was said here.