what are the security risks using 'passwd' in shell scripts?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30
Rep:
what are the security risks using 'passwd' in shell scripts?
i was reading about shell scripting today and found a warning against using the 'passwd' command in an automated script. i don't understand how this would be a security risk, can someone please explain?
Interesting... One would assume the fact that you would have to apply a password
within the script that it could be a way of revealing passwords unnecessarily.
Another thing may be that you may create a script that has relaxed attributes allowing
someone to abuse the passwd command as an escalated user within the script using
clever parsing.
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30
Original Poster
Rep:
Re: passwd in scripts
Quote:
Originally posted by ginetta Interesting... One would assume the fact that you would have to apply a password
within the script that it could be a way of revealing passwords unnecessarily.
i don't see how the script could reveal a password if i don't put it anywhere in the script (that would be an obvious security flaw as the script file is unencrypted). i simply send the command and wait for the user to type a new password. it should be just as secure as typing 'passwd' from the command prompt, right?
i did think about the permissions and i set it so that it can only be run by root.
to me this seems like a perfectly secure situation, but then again, i am a
i simply send the command and wait for the user to type a new password.
What you suggest is commpn practice with may secure shell scripts. With that
I mean the calling of another program in a secure manor to carry out a function.
I have not read the article you mentioned therefore I cannot comment on its
content.
From what you describe, a simple call for passwd to interact with a user much in
the same way as if they were to initiate it themselves doesn't 'seem' to prove
insecure in itself.
Saying that, with the right set of circumstances "surrounding" the request for
that function within a script may prove to be hazzardous to security. But then
that can be said of any function being misused. This would then be an issue with
the way the author of the script constructed it and not with passwd itself.
If passwd has a flaw in the way it executes from within a script then that is
something I am unaware of and a quick visit to any good security website would
answer that question for you.
I'd be interested to read this article you mentioned.
Just guessing here as the OP didn't include a reference to the material he/she was reading, but they're probably talking about silly things like piping the new password to passwd on stdin. A crafty attacker could get the password from the process list if you did something like that.
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30
Original Poster
Rep:
hehe, okay, that's kind of what i figured... and yes, i realized it would be VERY silly to put the actual password in the script file!
i read this advice from a shell-scripting guide (the link to which i've now lost) but it wasn't even an article really, just a piece of advice stuck in against using 'passwd' in scripts with no evidence to back up the claim. just thought i'd check with you guys to make sure i wasn't missing something silly!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.