Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
04-07-2005, 11:18 PM
|
#1
|
|
Member
Registered: Nov 2004
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30
Rep: 
|
what are the security risks using 'passwd' in shell scripts?
i was reading about shell scripting today and found a warning against using the 'passwd' command in an automated script. i don't understand how this would be a security risk, can someone please explain?
|
|
|
|
|
04-08-2005, 12:29 AM
|
#2
|
|
LQ Newbie
Registered: Nov 2004
Location: Canada
Posts: 28
Rep:
|
passwd in scripts
Interesting... One would assume the fact that you would have to apply a password
within the script that it could be a way of revealing passwords unnecessarily.
Another thing may be that you may create a script that has relaxed attributes allowing
someone to abuse the passwd command as an escalated user within the script using
clever parsing.
|
|
|
|
|
04-08-2005, 01:26 AM
|
#3
|
|
Member
Registered: Nov 2004
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30
Original Poster
Rep:
|
Re: passwd in scripts
Quote:
Originally posted by ginetta
Interesting... One would assume the fact that you would have to apply a password
within the script that it could be a way of revealing passwords unnecessarily.
|
i don't see how the script could reveal a password if i don't put it anywhere in the script (that would be an obvious security flaw as the script file is unencrypted). i simply send the command and wait for the user to type a new password. it should be just as secure as typing 'passwd' from the command prompt, right?
i did think about the permissions and i set it so that it can only be run by root.
to me this seems like a perfectly secure situation, but then again, i am a   |
|
|
|
|
04-08-2005, 12:09 PM
|
#4
|
|
LQ Newbie
Registered: Nov 2004
Location: Canada
Posts: 28
Rep:
|
passwd...
i simply send the command and wait for the user to type a new password.
What you suggest is commpn practice with may secure shell scripts. With that
I mean the calling of another program in a secure manor to carry out a function.
I have not read the article you mentioned therefore I cannot comment on its
content.
From what you describe, a simple call for passwd to interact with a user much in
the same way as if they were to initiate it themselves doesn't 'seem' to prove
insecure in itself.
Saying that, with the right set of circumstances "surrounding" the request for
that function within a script may prove to be hazzardous to security. But then
that can be said of any function being misused. This would then be an issue with
the way the author of the script constructed it and not with passwd itself.
If passwd has a flaw in the way it executes from within a script then that is
something I am unaware of and a quick visit to any good security website would
answer that question for you.
I'd be interested to read this article you mentioned.
G
|
|
|
|
|
04-08-2005, 02:48 PM
|
#5
|
|
Senior Member
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197
Rep:
|
Just guessing here as the OP didn't include a reference to the material he/she was reading, but they're probably talking about silly things like piping the new password to passwd on stdin. A crafty attacker could get the password from the process list if you did something like that.
|
|
|
|
|
04-10-2005, 01:48 PM
|
#6
|
|
Member
Registered: Nov 2004
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30
Original Poster
Rep:
|
hehe, okay, that's kind of what i figured... and yes, i realized it would be VERY silly to put the actual password in the script file!
i read this advice from a shell-scripting guide (the link to which i've now lost) but it wasn't even an article really, just a piece of advice stuck in against using 'passwd' in scripts with no evidence to back up the claim. just thought i'd check with you guys to make sure i wasn't missing something silly!
thanks all!
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 11:22 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
