Add user to linux via web page - php
I am looking to add user via web page with the following code can anyone give me some example php code to add a user to a linux system, example bash script below
Code:
#!/bin/bash |
Not securely.
The problem can be done... depending on the system (and configuration) you are using. RH/Fedora isolate the web server even more for security purposes, and adding users to the system is one of the problems. Using the web for this is not secure (too many easy things that could go wrong and leave your system wide open). It can be done... but there is a significant difficulty in changing from the apache account (and limited privileges) to a higher privilege (root) to be allowed to add the user. All CGI scripts run as the apache user, and any switching to root will be granted to any use of the apache UID, so all web pages suddenly become vulnerable to attack. To do it, you have to configure sudo to allow the apache UID to use it without a password (if if a password still used, then apache has to have the password in plaintext...). After that, the php code only has to collect the information, then invoke sudo to pass the parameters. All in all - possible. But not securely. |
what I want to do is
1) have the user change their password but I want to use a linux "/dev/urandom" to generate it and change it with no interaction from me or helpdesk ticket |
Are they using a login via ssh?
Or is it just a browser login? |
password change
Quote:
Well they could login via ssh or sftp so I want for them to change their own password, i.e. 1) they forgot their password then they can make request to change it, get a webpage link, click on it and change their password without any interaction from me and it will delete it and and get the password from "/dev/urandom" set it and display it back to them securely but also I want it logged somewhere or maybe somekind of approval maybe from help desk |
Quote:
So how are you going to authenticate the web page? And you do get the irony of "display it back to them securely" right? A displayed password is not a secure password. And practice shows that random passwords will get written down. Also, if you have a number of remote users why not use kerberos? - Then you can specifically authorize the user support personnel with the ability to change passwords. You also get the advantage that no passwords ever cross the network (other than when specifically changing the password - and that only happens between the user/help desk and the KDC). |
All times are GMT -5. The time now is 10:11 PM. |