Re: /usr/sbin/useradd lock password file issue ?

[Bob McClure Jr <robertmcclure earthlink net>]

On Fri, Dec 05, 2003 at 02:56:48PM -0500, Jim Goh wrote:
> Hi,
> 
> I have problem with /usr/sbin/useradd from Red Hat 9.0, I created account
> registration website and then call script has the following part:
> 
> system("/usr/sbin/useradd -c\"$fullname\" -d$HOME/$emailadd -g$GROUP -m -
> k$SKEL -s$SHELL -p$encpass $emailadd");
> 
> All the variables are read from user input, after user submit, should
> create account on my machine. But it does not work. And here is error from the
> apache http error log:
> 
> [Fri Dec 05 10:02:40 2003] [error] [client xxx.xx.xxx.xx] useradd: unable
> to lock password file, referer: to your script.
> 
> how to fix the lock password file?
> 
> thanks!
> 
> Jim

You have deeper concerns than that.  I gather this is a Perl/CGI
script.  It is running as the apache user (a mere mortal) and so does
not have privileges to add users.  You could deal with this by using
"sudo" ("man sudo" and "man sudoers") to allow apache to do a "root"
thing by adding apache to /etc/sudoers and adding the NOPASSWD option,
or by building a setuid-root program to do the dirty work.

But (everyone else, cover your ears) THIS IS VERY DANGEROUS!  You
_must_ taint-check all variables passed to the useradd program.
Otherwise someone with sufficient knowledge could enter into, say, the
$fullname field, "Larson E. Pettifogger -o -u 0" and give himself a
login with root privileges.  You must screen out anything but
alpha-numerics, spaces, periods and commas, and for some fields, that
is too much.

I don't know what the ops concept behind this is, but consider safer
alternatives, such as Webmin.

http://www.webmin.com/

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
robertmcclure earthlink net  http://www.bobcatos.com
Born in a manger, now preparing for us a mansion.