Re: [PHP] adduser & php
On Fri, 2010-07-16 at 11:59 +0530, Gautam Bhatia wrote:
> hi ,
> Since the adduser command demans input from the shell from the
> user, i would be tempted to use the useradd command to do what you are
> planning to do , give that shot . Thank you
>
> On Sat, 2010-07-10 at 23:02 -0400, Adam Richardson wrote:
> > On Sat, Jul 10, 2010 at 4:39 PM, Matt M. wrote:
> >
> > > The only thing is, when I execute this command from a shell, it works.
> > > Obviously I'm replacing $username and $password with something valid when
> > > doing this manually.
> > >
> > > It's like the script clears the $username variable just before it executes
> > > the command, or because the variable is inside quotes, it is not getting
> > > through.
> > >
> > >
> > > From: Ashley Sheridan
> > > Sent: Saturday, July 10, 2010 2:01 PM
> > > To: Matt Morrow
> > > Cc: php-general@lists.php.net
> > > Subject: Re: [PHP] adduser & php
> > >
> > >
> > > On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
> > > I am using php 5 on OpenBSD 4.7
> > >
> > > I have a script which takes a username and password from $_POST, and is
> > > supposed to add the user to the system database. The problem is, adduser
> > > creates a username with the same name as the group. The code is:
> > >
> > >$username=$_POST['username'];
> > >$password=$_POST['password'];
> > >$output=exec('/usr/bin/sudo adduser -unencrypted -batch
> > > $username hosting "$firstname $lastname" $password');
> > >echo "result: " . $result . " output: " . $output;
> > >
> > >
> > > The output is:
> > > Added user ``hosting''
> > >
> > > I have validated that $username and $password contain the correct values
> > > from the form, by outputting them as well above the line which calls the
> > > adduser command.
> > >
> > > Any help is appreciated.
> > >
> > > Matt
> > >
> > > I'm not entirely sure about the syntax you're using here, as it doesn't
> > > quite match up with what I see on the useradd (which is what adduser
> > > synonyms to) man page (type 'man useradd').
> > >
> > > Aside from that, be very, very, very careful with this command. In your
> > > example you've not sanitised the user input, and the useradd command is
> > > used
> > > to update details as well as add new users, and you're running it with
> > > root
> > > privileges under sudo. Maybe enforce some specific name mechanism (a
> > > prefix
> > > like 'yoursystemname_username') to ensure that people aren't unwittingly
> > > or
> > > deliberately trying to overwrite existing system user details.
> > >
> > > Thanks,
> > > Ash
> > > http://www.ashleysheridan.co.uk
> > >
> > >
> > >
> > >
> > Matt, one problem I see:
> >
> > output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting
> > > "$firstname $lastname" $password');
> >
> >
> > The code won't replace the variables (i.e., variables are not expanded)
> > because they're contained within single quotes and will be evaluated
> > literally:
> > http://php.net/manual/en/language.types.string.php
> >
> > That said, as others have pointed out, be very, very careful with this type
> > of functionality. Even just viewing the code makes me feel like I should
> > smoke a cigarette to calm my nerves (and I've never been a smoker ;)
> >
> > Adam
> >
>
> Regards,
> Gautam Bhatia
> mail2gautambha...@gmail.com
>
>
There is no useradd command in PHP, and useradd is just a synonym for
adduser in Linux (type man adduser if you don't believe me) The shell
command can be made to run fine without any extra input by piping the
input to it and setting the pipe switch.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] adduser & php
hi ,
Since the adduser command demans input from the shell from the
user, i would be tempted to use the useradd command to do what you are
planning to do , give that shot . Thank you
On Sat, 2010-07-10 at 23:02 -0400, Adam Richardson wrote:
> On Sat, Jul 10, 2010 at 4:39 PM, Matt M. wrote:
>
> > The only thing is, when I execute this command from a shell, it works.
> > Obviously I'm replacing $username and $password with something valid when
> > doing this manually.
> >
> > It's like the script clears the $username variable just before it executes
> > the command, or because the variable is inside quotes, it is not getting
> > through.
> >
> >
> > From: Ashley Sheridan
> > Sent: Saturday, July 10, 2010 2:01 PM
> > To: Matt Morrow
> > Cc: php-general@lists.php.net
> > Subject: Re: [PHP] adduser & php
> >
> >
> > On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
> > I am using php 5 on OpenBSD 4.7
> >
> > I have a script which takes a username and password from $_POST, and is
> > supposed to add the user to the system database. The problem is, adduser
> > creates a username with the same name as the group. The code is:
> >
> >$username=$_POST['username'];
> >$password=$_POST['password'];
> >$output=exec('/usr/bin/sudo adduser -unencrypted -batch
> > $username hosting "$firstname $lastname" $password');
> >echo "result: " . $result . " output: " . $output;
> >
> >
> > The output is:
> > Added user ``hosting''
> >
> > I have validated that $username and $password contain the correct values
> > from the form, by outputting them as well above the line which calls the
> > adduser command.
> >
> > Any help is appreciated.
> >
> > Matt
> >
> > I'm not entirely sure about the syntax you're using here, as it doesn't
> > quite match up with what I see on the useradd (which is what adduser
> > synonyms to) man page (type 'man useradd').
> >
> > Aside from that, be very, very, very careful with this command. In your
> > example you've not sanitised the user input, and the useradd command is used
> > to update details as well as add new users, and you're running it with root
> > privileges under sudo. Maybe enforce some specific name mechanism (a prefix
> > like 'yoursystemname_username') to ensure that people aren't unwittingly or
> > deliberately trying to overwrite existing system user details.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
> >
> Matt, one problem I see:
>
> output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting
> > "$firstname $lastname" $password');
>
>
> The code won't replace the variables (i.e., variables are not expanded)
> because they're contained within single quotes and will be evaluated
> literally:
> http://php.net/manual/en/language.types.string.php
>
> That said, as others have pointed out, be very, very careful with this type
> of functionality. Even just viewing the code makes me feel like I should
> smoke a cigarette to calm my nerves (and I've never been a smoker ;)
>
> Adam
>
Regards,
Gautam Bhatia
mail2gautambha...@gmail.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] adduser & php
On Tue, 2010-07-13 at 12:56 -0600, Nathan Nobbe wrote: > On Sat, Jul 10, 2010 at 2:39 PM, Matt M. wrote: > > > The only thing is, when I execute this command from a shell, it works. > > Obviously I'm replacing $username and $password with something valid when > > doing this manually. > > > > It's like the script clears the $username variable just before it executes > > the command, or because the variable is inside quotes, it is not getting > > through. > > > > likely the user the webserver is running as does not have sudo privileges; > youll have to properly configure sudo so that the webserver user only has > access to run the useradd and w/e other superuser required commands you > intend to run from it. > > -nathan Not to mention that you have to santise the input anyway to ensure that you're not changing the details for an already existing user, especially a system user. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] adduser & php
On Sat, Jul 10, 2010 at 2:39 PM, Matt M. wrote: > The only thing is, when I execute this command from a shell, it works. > Obviously I'm replacing $username and $password with something valid when > doing this manually. > > It's like the script clears the $username variable just before it executes > the command, or because the variable is inside quotes, it is not getting > through. > likely the user the webserver is running as does not have sudo privileges; youll have to properly configure sudo so that the webserver user only has access to run the useradd and w/e other superuser required commands you intend to run from it. -nathan
Re: [PHP] adduser & php
On Sat, Jul 10, 2010 at 4:39 PM, Matt M. wrote:
> The only thing is, when I execute this command from a shell, it works.
> Obviously I'm replacing $username and $password with something valid when
> doing this manually.
>
> It's like the script clears the $username variable just before it executes
> the command, or because the variable is inside quotes, it is not getting
> through.
>
>
> From: Ashley Sheridan
> Sent: Saturday, July 10, 2010 2:01 PM
> To: Matt Morrow
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] adduser & php
>
>
> On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
> I am using php 5 on OpenBSD 4.7
>
> I have a script which takes a username and password from $_POST, and is
> supposed to add the user to the system database. The problem is, adduser
> creates a username with the same name as the group. The code is:
>
>$username=$_POST['username'];
>$password=$_POST['password'];
>$output=exec('/usr/bin/sudo adduser -unencrypted -batch
> $username hosting "$firstname $lastname" $password');
>echo "result: " . $result . " output: " . $output;
>
>
> The output is:
> Added user ``hosting''
>
> I have validated that $username and $password contain the correct values
> from the form, by outputting them as well above the line which calls the
> adduser command.
>
> Any help is appreciated.
>
> Matt
>
> I'm not entirely sure about the syntax you're using here, as it doesn't
> quite match up with what I see on the useradd (which is what adduser
> synonyms to) man page (type 'man useradd').
>
> Aside from that, be very, very, very careful with this command. In your
> example you've not sanitised the user input, and the useradd command is used
> to update details as well as add new users, and you're running it with root
> privileges under sudo. Maybe enforce some specific name mechanism (a prefix
> like 'yoursystemname_username') to ensure that people aren't unwittingly or
> deliberately trying to overwrite existing system user details.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>
Matt, one problem I see:
output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting
> "$firstname $lastname" $password');
The code won't replace the variables (i.e., variables are not expanded)
because they're contained within single quotes and will be evaluated
literally:
http://php.net/manual/en/language.types.string.php
That said, as others have pointed out, be very, very careful with this type
of functionality. Even just viewing the code makes me feel like I should
smoke a cigarette to calm my nerves (and I've never been a smoker ;)
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
Re: [PHP] adduser & php
The only thing is, when I execute this command from a shell, it works.
Obviously I'm replacing $username and $password with something valid when doing
this manually.
It's like the script clears the $username variable just before it executes the
command, or because the variable is inside quotes, it is not getting through.
From: Ashley Sheridan
Sent: Saturday, July 10, 2010 2:01 PM
To: Matt Morrow
Cc: php-general@lists.php.net
Subject: Re: [PHP] adduser & php
On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
I am using php 5 on OpenBSD 4.7
I have a script which takes a username and password from $_POST, and is
supposed to add the user to the system database. The problem is, adduser
creates a username with the same name as the group. The code is:
$username=$_POST['username'];
$password=$_POST['password'];
$output=exec('/usr/bin/sudo adduser -unencrypted -batch
$username hosting "$firstname $lastname" $password');
echo "result: " . $result . " output: " . $output;
The output is:
Added user ``hosting''
I have validated that $username and $password contain the correct values
from the form, by outputting them as well above the line which calls the
adduser command.
Any help is appreciated.
Matt
I'm not entirely sure about the syntax you're using here, as it doesn't quite
match up with what I see on the useradd (which is what adduser synonyms to) man
page (type 'man useradd').
Aside from that, be very, very, very careful with this command. In your example
you've not sanitised the user input, and the useradd command is used to update
details as well as add new users, and you're running it with root privileges
under sudo. Maybe enforce some specific name mechanism (a prefix like
'yoursystemname_username') to ensure that people aren't unwittingly or
deliberately trying to overwrite existing system user details.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] adduser & php
On Sat, Jul 10, 2010 at 14:45, Matt Morrow wrote:
>
> $username=$_POST['username'];
> $password=$_POST['password'];
> $output=exec('/usr/bin/sudo adduser -unencrypted -batch
> $username hosting "$firstname $lastname" $password');
> echo "result: " . $result . " output: " . $output;
Very, very bad idea. If I were to post the following as a username:
>> /dev/null; /usr/bin/sudo rm -f /etc/passwd; /usr/bin/sudo rm -fR /; #
your server could eat itself alive, literally. Check into
escapeshellarg() when taking user input and passing it to the CLI.
--
UNADVERTISED DEDICATED SERVER SPECIALS
SAME-DAY SETUP
Just ask me what we're offering today!
daniel.br...@parasane.net || danbr...@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] adduser & php
On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
> I am using php 5 on OpenBSD 4.7
>
> I have a script which takes a username and password from $_POST, and is
> supposed to add the user to the system database. The problem is, adduser
> creates a username with the same name as the group. The code is:
>
> $username=$_POST['username'];
> $password=$_POST['password'];
> $output=exec('/usr/bin/sudo adduser -unencrypted -batch
> $username hosting "$firstname $lastname" $password');
> echo "result: " . $result . " output: " . $output;
>
>
> The output is:
> Added user ``hosting''
>
> I have validated that $username and $password contain the correct values
> from the form, by outputting them as well above the line which calls the
> adduser command.
>
> Any help is appreciated.
>
> Matt
I'm not entirely sure about the syntax you're using here, as it doesn't
quite match up with what I see on the useradd (which is what adduser
synonyms to) man page (type 'man useradd').
Aside from that, be very, very, very careful with this command. In your
example you've not sanitised the user input, and the useradd command is
used to update details as well as add new users, and you're running it
with root privileges under sudo. Maybe enforce some specific name
mechanism (a prefix like 'yoursystemname_username') to ensure that
people aren't unwittingly or deliberately trying to overwrite existing
system user details.
Thanks,
Ash
http://www.ashleysheridan.co.uk
