Add user to linux via web page

slufoot80 · 03-25-2013, 10:14 AM

I am looking to add user via web page with the following code can anyone give me some example php code to add a user to a linux system, example bash script below

Code:

#!/bin/bash 
clear
# Script to add a user to this Linux system
if [ $(id -u) -eq 0 ]; then                                     # check if user is root
        read -p "Enter User Name : " username

        while [ -z $username ]|| egrep "^$username" /etc/passwd  1>/dev/null;
        do
        echo -ne "Either user exists or you entered a blank, enter username again: ";read -e  username
        done

        password=`</dev/urandom tr -dc A-Za-z0-9 | head -c8`

        echo -ne "\nPlease Enter your User ID Number: ";read -ern5 uid
        while [[ ! $uid =~ ^[0-9]+$ ]]||egrep $uid /etc/passwd >/dev/null; do
        echo -ne "Please re-enter your uid positive intergers only: ";read -ern5 uid
        done

        read -p "Enter a Comment : " comment
        commentstatic="Internal SFTP Account"

        read -p "Enter Users Home Directory : " homedir
        while [ ! -d "$homedir" ];
        do
        echo -ne "\n$homedir Directory Not Found! Please re-enter: "; read homedir
        done        

pass=$(perl -e 'print crypt($ARGV[0], "password")' $password) # passing the password entered
echo ""
        shell=/bin/bash                                                 # case statment for shell selection.
        useradd -u $uid -p $pass -c "$comment $commentstatic" -d $homedir -s $shell $username

        echo "Setting security on users home directory"
        chown $username:ftp $homedir                                    # security settings for both shells
        chmod 775 $homedir
        echo -e "$username" '\t' "$homedir" >> /etc/security/chroot.conf

clear
echo -e "\n\tThis users login details is as follows: \n"
echo -e "\n\tUsername is: $username \n"
echo -e "\tPassword is: $password \n"
echo -e "\tUser's ID Number is: $uid \n"
echo -e "\tComment is: $comment $commentstatic \n"
echo -e "\tUsers Home Directory is: $homedir \n"
echo -e "\tUsers Shell is: $shell \n"
fi
STOPM=`date -u "+%s"`
RUNTIMEM=`expr $STOPM - $STARTM`
if (($RUNTIMEM>59)); then
TTIMEM=`printf "%dm%ds\n" $((RUNTIMEM/60%60)) $((RUNTIMEM%60))`
else
TTIMEM=`printf "%ds\n" $((RUNTIMEM))`
fi
echo -e "\tExecuting "script function" took: $TTIMEM\n"

jpollard · 03-25-2013, 11:22 AM

Not securely.

The problem can be done... depending on the system (and configuration) you are using.

RH/Fedora isolate the web server even more for security purposes, and adding users to the system is one of the problems.

Using the web for this is not secure (too many easy things that could go wrong and leave your system wide open).

It can be done... but there is a significant difficulty in changing from the apache account (and limited privileges) to a higher privilege (root) to be allowed to add the user. All CGI scripts run as the apache user, and any switching to root will be granted to any use of the apache UID, so all web pages suddenly become vulnerable to attack.

To do it, you have to configure sudo to allow the apache UID to use it without a password (if if a password still used, then apache has to have the password in plaintext...). After that, the php code only has to collect the information, then invoke sudo to pass the parameters.

All in all - possible. But not securely.

slufoot80 · 03-25-2013, 12:59 PM

what I want to do is

1) have the user change their password but I want to use a linux "/dev/urandom" to generate it and change it with no interaction from me or helpdesk ticket

jpollard · 03-25-2013, 01:09 PM

Are they using a login via ssh?
Or is it just a browser login?

slufoot80 · 03-25-2013, 01:18 PM

Quote:

Originally Posted by jpollard

Are they using a login via ssh?
Or is it just a browser login?

Well they could login via ssh or sftp so I want for them to change their own password, i.e.

1) they forgot their password then they can make request to change it, get a webpage link, click on it and change their password without any interaction from me and it will delete it and and get the password from "/dev/urandom" set it and display it back to them securely but also I want it logged somewhere or maybe somekind of approval maybe from help desk

jpollard · 03-25-2013, 02:13 PM

Quote:

Originally Posted by slufoot80

Well they could login via ssh or sftp so I want for them to change their own password, i.e.

1) they forgot their password then they can make request to change it, get a webpage link, click on it and change their password without any interaction from me and it will delete it and and get the password from "/dev/urandom" set it and display it back to them securely but also I want it logged somewhere or maybe somekind of approval maybe from help desk

If approval from help desk is required (not unreasonable), then why use a web page other than to generate a random string?

So how are you going to authenticate the web page? And you do get the irony of "display it back to them securely" right? A displayed password is not a secure password.

And practice shows that random passwords will get written down.

Also, if you have a number of remote users why not use kerberos? - Then you can specifically authorize the user support personnel with the ability to change passwords. You also get the advantage that no passwords ever cross the network (other than when specifically changing the password - and that only happens between the user/help desk and the KDC).