[thelist] UNIX SECURITY. . .
Daniel J. Cody
djc at starkmedia.com
Tue Feb 20 10:36:09 CST 2001
Hey Mark -
A system like yahoo more than likely doesn't add new users to the actual
Unix system when they sign up for web space/email..
What probably happens is they have some very custom software that hooks
into a database for user information(username, passwd, etc) instead of a
classic unix password file ala /etc/passwd whenever you connect to their
FTP servers, POP3 services, etc..
For your situation though, a nice idea might be to have the user
information right to a text file(better would be a DB) thats not owned
by anyone with root privs. The text file might have all relevant user
info in a pipe delimted format for easy parsing..
What you could do then is have a root cron job run a script that checked
the text file, parsed out the good stuff(username, passwd), and added a
user to your system from there.
Because it would be the root users cron job, it could do everything you
would want, but without any of the outside secrurity problems that an
outside, world executable CGI file might give..
Hope that helps a bit or gives you some ideas.. Shout if you have more
questions :)
.djc.
Mark Scalia wrote:
> Does anyone have any sugguestions of a secure way of adding a user to a
> unix system from a web based form. I am wondering how sites like Yahoo,
> for instace, go about adding a user to their system in able to offer such
> features as pop email and web space. I am guessing that their signup form
> triggers some program that adds a user without being root.
>
> I know that adduser takes root access and could be used in conjuction with
> "sudo", or some other program, but is that how large sites such as yahoo
> and others go about this?????
>
> I get extremely nervous with even the thought of giving a cgi script access
> to a root command . . .
More information about the thelist
mailing list