call useradd and passwd through no prompt script

Red Squirrel · 01-06-2009, 12:44 AM

I'm writing a hosting control panel and one process involves creating or editing a shell user (ex: password reset). How do I go about calling these user functions without a prompt. Passwd especially.

Or is there a C++ library in Linux that will let me perform the same tasks? I suppose I could write directly to /etc/passwd and /etc/shadow but just wondering if there's a better way.

Disillusionist · 01-06-2009, 02:52 AM

Look at the -p options to useradd and usermod.

Sample code snip:

Code:

#!/bin/bash
##
## Set a default password and perform a password reset
l_user=$1
if [ "$l_user" != "" ]
then
   l_password="Reset"
   l_encrypted_pass=$(mkpasswd -s --hash=md5 ${l_password})
   echo "/usr/sbin/usermod -p ${l_encrypted_pass} ${l_user}"
   ## Uncomment when you are happy with the test results
   ##/usr/sbin/usermod -p ${l_encrypted_pass} ${l_user}
fi

EDIT:-

As this script would need to run as root, you need to perform enough checking so that you are happy that users will not be able to break your system (intentionally or otherwise)

Do you want to allow root (and other system accounts) to have their passwords reset? I would suggest not, so you might need to check the contents against a blocked list.

Also I would suggest checking that ;'&> (and possibly other) characters are not contained in $user

I would test by passing incorrect data to see what it echos:
./script 'user;cat /etc/shadow'
./script root
./script >/tmp/etc/passwd -- Don't test directly with /etc/passwd or other files that are key to the system

This is probably not a definitive list of ways to use this script to break a system, but it's what I can think of at the moment.

Red Squirrel · 01-06-2009, 03:19 PM

I don't have mkpasswd on my system. Is there a way to do the same thing in C++? Sure I can go find the program online, but if I don't have it chances are other people don't, so I want to avoid having a depedancy to my program. (this will be redistributed eventually)

For now I'm not looking too much at security, but yeah it is to consider to filter stuff. There will be a full blown ACL system where I can fine tune who has access to do what.

Autocross.US · 01-06-2009, 04:26 PM

This works on FC/RHEL:

echo "your_password" | passwd --stdin USERNAME

Red Squirrel · 01-06-2009, 07:23 PM

Thanks that worked!

Also I'm using system() for all of this, is there a better way other then editing /etc/passwd and /etc/shadow directly?

Disillusionist · 01-07-2009, 02:33 AM

Quote:

Originally Posted by Red Squirrel

Thanks that worked!

Also I'm using system() for all of this, is there a better way other then editing /etc/passwd and /etc/shadow directly?

No, the usermod and password commands are the safest ways of modifying a users password, this is what they were designed to do.

Don't forget to test the hell out of the input values!