Personally, running a script directly from a website to add users is asking for security trouble.. I would have it write a "adduser" request to a file and then have a cron job parse that file everyt 5, 10 or 30 minutes or something looking for new users to add. This gets you around the SUID problem and also allows you to do some more sanity checks, etc... on the user being added.
Of course your script is checking to make sure that a webuser isn't submitting root, admin, nobody or any of the "system" names as a user, correct? On Tuesday 17 September 2002 19:55, tim tom wrote: > php4.2.3 apache mod > linux rh7.2 > ------------------- > > I am trying to add unix system account user via a simple php and shell > script <? > system("/usr/bin/add.sh timtom752002 timtom752002 /home/timtom752002",$r) > or die (" $r user creation fail"); > > print "success"; > ?> > > when i ran add.php on my browser, i get > 254 user creation fail > > I created my add.sh file in /usr/bin and I have setuid it: > -rwsr-xr-x 1 root devel 216 Sep 18 08:54 add.sh > > It looks like: > #!/bin/sh > > username=$1 > password=$2 > homedir=$3 > # create user > /usr/sbin/useradd -m -d $homedir $username > > > # change the password > ( > echo $password > sleep 1 > echo $password > sleep 1 > echo $password > )|passwd $username > > When I ran the add.sh from the command line, it works ok: > $ /usr/bin/add.sh nnnnn nnnnn /home/nnnnn > Changing password for user nnnnn > passwd: all authentication tokens updated successfully > (i tried login in with uid=nnnnn and passwd=nnnnn and it was ok) > > What's wrong with those scripts. It DOESN'T even create the user > timtom752002. Please help -- Henrik Hudson [EMAIL PROTECTED] Note: Beware of Dragons - Thou art crunchy and taste good with ketchup. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php