How easy would it be in your script to do something like "userid=root"? Think about the possibility of someone injection code.
Are you passing this information somewhere in the URL or in one of the "hidden" variables? IMHO messing with /etc/passwd and /etc/shadow from the web is a no-no. Diego. On Tue, 21 Jan 2003, Ing. Bernardo Lopez wrote: > How secure could be my webserver if i allow some php scripts to modify > the file (directly) /etc/passwd & /etc/shadow but my script will only > allow to modify the line of the loged user (like userid=visitor, then he > only can see/modify visitor's line)?? > > It is secure, if i enforce very enougth the security of the script... or > this stills being a stupid option? > > Also if i use that script only for modify the permisions of ftp's users > it stills unsecure? (if the ftpd runs whit a very unpriviligiated uid?) > > Thanks in advance >
