adduser & php
in [General]
|
From: Matt Morrow on 10 Jul 2010 14:45 I am using php 5 on OpenBSD 4.7 I have a script which takes a username and password from $_POST, and is supposed to add the user to the system database. The problem is, adduser creates a username with the same name as the group. The code is: $username=$_POST['username']; $password=$_POST['password']; $output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting "$firstname $lastname" $password'); echo "result: " . $result . " output: " . $output; The output is: Added user ``hosting'' I have validated that $username and $password contain the correct values from the form, by outputting them as well above the line which calls the adduser command. Any help is appreciated. Matt
From: Ashley Sheridan on 10 Jul 2010 15:01 On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote: > I am using php 5 on OpenBSD 4.7 > > I have a script which takes a username and password from $_POST, and is > supposed to add the user to the system database. The problem is, adduser > creates a username with the same name as the group. The code is: > > $username=$_POST['username']; > $password=$_POST['password']; > $output=exec('/usr/bin/sudo adduser -unencrypted -batch > $username hosting "$firstname $lastname" $password'); > echo "result: " . $result . " output: " . $output; > > > The output is: > Added user ``hosting'' > > I have validated that $username and $password contain the correct values > from the form, by outputting them as well above the line which calls the > adduser command. > > Any help is appreciated. > > Matt I'm not entirely sure about the syntax you're using here, as it doesn't quite match up with what I see on the useradd (which is what adduser synonyms to) man page (type 'man useradd'). Aside from that, be very, very, very careful with this command. In your example you've not sanitised the user input, and the useradd command is used to update details as well as add new users, and you're running it with root privileges under sudo. Maybe enforce some specific name mechanism (a prefix like 'yoursystemname_username') to ensure that people aren't unwittingly or deliberately trying to overwrite existing system user details. Thanks, Ash http://www.ashleysheridan.co.uk
From: Daniel Brown on 10 Jul 2010 15:20 On Sat, Jul 10, 2010 at 14:45, Matt Morrow <cmorrow132(a)gmail.com> wrote: > > $username=$_POST['username']; > $password=$_POST['password']; > $output=exec('/usr/bin/sudo adduser -unencrypted -batch > $username hosting "$firstname $lastname" $password'); > echo "result: " . $result . " output: " . $output; Very, very bad idea. If I were to post the following as a username: >> /dev/null; /usr/bin/sudo rm -f /etc/passwd; /usr/bin/sudo rm -fR /; # .... your server could eat itself alive, literally. Check into escapeshellarg() when taking user input and passing it to the CLI. -- </Daniel P. Brown> UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.brown(a)parasane.net || danbrown(a)php.net http://www.parasane.net/ || http://www.pilotpig.net/
From: "Matt M." on 10 Jul 2010 16:39 The only thing is, when I execute this command from a shell, it works. Obviously I'm replacing $username and $password with something valid when doing this manually. It's like the script clears the $username variable just before it executes the command, or because the variable is inside quotes, it is not getting through. From: Ashley Sheridan Sent: Saturday, July 10, 2010 2:01 PM To: Matt Morrow Cc: php-general(a)lists.php.net Subject: Re: [PHP] adduser & php On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote: I am using php 5 on OpenBSD 4.7 I have a script which takes a username and password from $_POST, and is supposed to add the user to the system database. The problem is, adduser creates a username with the same name as the group. The code is: $username=$_POST['username']; $password=$_POST['password']; $output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting "$firstname $lastname" $password'); echo "result: " . $result . " output: " . $output; The output is: Added user ``hosting'' I have validated that $username and $password contain the correct values from the form, by outputting them as well above the line which calls the adduser command. Any help is appreciated. Matt I'm not entirely sure about the syntax you're using here, as it doesn't quite match up with what I see on the useradd (which is what adduser synonyms to) man page (type 'man useradd'). Aside from that, be very, very, very careful with this command. In your example you've not sanitised the user input, and the useradd command is used to update details as well as add new users, and you're running it with root privileges under sudo. Maybe enforce some specific name mechanism (a prefix like 'yoursystemname_username') to ensure that people aren't unwittingly or deliberately trying to overwrite existing system user details. Thanks, Ash http://www.ashleysheridan.co.uk
From: Adam Richardson on 10 Jul 2010 23:02 On Sat, Jul 10, 2010 at 4:39 PM, Matt M. <cmorrow132(a)gmail.com> wrote: > The only thing is, when I execute this command from a shell, it works. > Obviously I'm replacing $username and $password with something valid when > doing this manually. > > It's like the script clears the $username variable just before it executes > the command, or because the variable is inside quotes, it is not getting > through. > > > From: Ashley Sheridan > Sent: Saturday, July 10, 2010 2:01 PM > To: Matt Morrow > Cc: php-general(a)lists.php.net > Subject: Re: [PHP] adduser & php > > > On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote: > I am using php 5 on OpenBSD 4.7 > > I have a script which takes a username and password from $_POST, and is > supposed to add the user to the system database. The problem is, adduser > creates a username with the same name as the group. The code is: > > $username=$_POST['username']; > $password=$_POST['password']; > $output=exec('/usr/bin/sudo adduser -unencrypted -batch > $username hosting "$firstname $lastname" $password'); > echo "result: " . $result . " output: " . $output; > > > The output is: > Added user ``hosting'' > > I have validated that $username and $password contain the correct values > from the form, by outputting them as well above the line which calls the > adduser command. > > Any help is appreciated. > > Matt > > I'm not entirely sure about the syntax you're using here, as it doesn't > quite match up with what I see on the useradd (which is what adduser > synonyms to) man page (type 'man useradd'). > > Aside from that, be very, very, very careful with this command. In your > example you've not sanitised the user input, and the useradd command is used > to update details as well as add new users, and you're running it with root > privileges under sudo. Maybe enforce some specific name mechanism (a prefix > like 'yoursystemname_username') to ensure that people aren't unwittingly or > deliberately trying to overwrite existing system user details. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > > Matt, one problem I see: output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting > "$firstname $lastname" $password'); The code won't replace the variables (i.e., variables are not expanded) because they're contained within single quotes and will be evaluated literally: http://php.net/manual/en/language.types.string.php That said, as others have pointed out, be very, very careful with this type of functionality. Even just viewing the code makes me feel like I should smoke a cigarette to calm my nerves (and I've never been a smoker ;) Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
|
Next
|
Last
Pages: 1 2 Prev: There has to be a better way!! Next: State, City, and Zip Code DEMO [WORKS] |