On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:

> I am using php 5 on OpenBSD 4.7
> I have a script which takes a username and password from $_POST, and is
> supposed to add the user to the system database. The problem is, adduser
> creates a username with the same name as the group. The code is:
>                 $username=$_POST['username'];
>                 $password=$_POST['password'];
>                 $output=exec('/usr/bin/sudo adduser -unencrypted -batch
> $username hosting "$firstname $lastname" $password');
>                 echo "result: " . $result . " output: " .  $output;
> The output is:
>                  Added user ``hosting''
> I have validated that $username and $password contain the correct values
> from the form, by outputting them as well above the line which calls the
> adduser command.
> Any help is appreciated.
> Matt

I'm not entirely sure about the syntax you're using here, as it doesn't
quite match up with what I see on the useradd (which is what adduser
synonyms to) man page (type 'man useradd').

Aside from that, be very, very, very careful with this command. In your
example you've not sanitised the user input, and the useradd command is
used to update details as well as add new users, and you're running it
with root privileges under sudo. Maybe enforce some specific name
mechanism (a prefix like 'yoursystemname_username') to ensure that
people aren't unwittingly or deliberately trying to overwrite existing
system user details.


Reply via email to