[thelist] UNIX SECURITY. . .

Daniel J. Cody djc at starkmedia.com
Tue Feb 20 10:36:09 CST 2001


Hey Mark -

A system like yahoo more than likely doesn't add new users to the actual 
Unix system when they sign up for web space/email..

What probably happens is they have some very custom software that hooks 
into a database for user information(username, passwd, etc) instead of a 
classic unix password file ala /etc/passwd whenever you connect to their 
FTP servers, POP3 services, etc..

For your situation though, a nice idea might be to have the user 
information right to a text file(better would be a DB) thats not owned 
by anyone with root privs. The text file might have all relevant user 
info in a pipe delimted format for easy parsing..

What you could do then is have a root cron job run a script that checked 
the text file, parsed out the good stuff(username, passwd), and added a 
user to your system from there.

Because it would be the root users cron job, it could do everything you 
would want, but without any of the outside secrurity problems that an 
outside, world executable CGI file might give..

Hope that helps a bit or gives you some ideas.. Shout if you have more 
questions :)

.djc.

Mark Scalia wrote:

> Does anyone have any sugguestions of a secure way of adding a user to a
> unix system from a web based form.  I am wondering how sites like Yahoo,
> for instace, go about adding a user to their system in able to offer such
> features as pop email and web space.  I am guessing that their signup form
> triggers some program that adds a user without being root.
> 
> I know that adduser takes root access and could be used in conjuction with
> "sudo", or some other program, but is that how large sites such as yahoo
> and others go about this?????
> 
> I get extremely nervous with even the thought of giving a cgi script access
> to a  root command . . .





More information about the thelist mailing list