-----BEGIN PGP SIGNED MESSAGE-----
A C wrapper running setuid root?
I guess there's less chance of getting a 'bad' username to execute arbitrary
commands, but at the same time I wonder about the possiblity of exploiting
overflows, but that'd be much harder. (hmm, if the C program shells to
adduser anyway the same problem is there?)
I dunno, personally I dont like the idea of _anything_ needing root..
On Tuesday 15 October 2002 3:51 pm, Tim Monaghan wrote:
> Is it better to use a c wrapper to do this? thats what Ive always done.
> Which is more secure?
> Custom Programming
> Web Programming community & discussion
> ----- Original Message -----
> From: "Shane Wright" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, October 15, 2002 9:36 AM
> Subject: Re: [PHP] Adding users to a linux system?
> you need to be root to add users - and your web server is most likely not
> runings as root (certainly shouldn't be!!)
> To make this work, add the user apache runs under to /etc/sudoers (look at
> the sudo man page),
> then change the command you have to this...
> sudo /usr/sbin/adduser -g mel -d /dev/null -s /bin/false -p $pass $usuario
> That will use sudo to run adduser as root.
> btw - try to only allow sudo access for the apache user, and only to use
> the command adduser (e.g. NOT rm or anything else dangerous..)
> Also, make very sure that $paqss and $usuario contain only alphanumeric
> characters; no backticks or quotes or anything.
> Hope that helps
> On Tuesday 15 October 2002 2:16 pm, :: wkwrz entertainment :: wrote:
> > $creador = "/usr/sbin/adduser -g mel -d /dev/null -s /bin/false -p $pass
> > $usuario";
> > $creador = exec($creador);
> > echo $creador;
> > I HAVE THIS, BUT IN THE APACHE LOG FILE I HAVE THIS:
> > adduser: unable to lock password file
> > what should i do to run the $creador sucefully?
Public key: http://www.shanewright.co.uk/files/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php