[SOLVED] running useradd from webapplication

guna_pmk · 02-10-2012, 02:58 AM

Hi Guys,

I have a PHP suite running on the cloud to be used by the users in the network. This is a cool way so that anybody, with any OS can run an application. Now I am in need of a way to let users to create user accounts on the server where this web application is hosted.

My configuration is:

Server - CentOS 5
PHP - 5.

What is the best way of achieving it.

I have tried the following:

Creating a script owned by root and setting the suid of it. Obviously this did not work as Linux wont let you set the suid for scripts.
Adding the apache user to sudoers. This needed a tty to run; disabling the tty looks like a risky business.

All ideas are welcome.

Thanks

lucmove · 02-10-2012, 10:59 PM

You could save input data to a unique file in a very specific directory. Then a cron job that runs every minute will check if there is any file in that directory. Whenever there is, the job (script) picks them up and processes them. The script must be smart enough to:

1) Spot the files
2) Parse them and take some action
3) Delete them
4) Be very cautious about what data such files may contain. It is obviously risky, but not really that risky if you know what you're doing and can validate the data.

The biggest problem here is the one-minute lag. Instead of a cron job, you could use some kind of daemon or anything that runs every second. That's just slightly more difficult (and proper) than a cron job. Work on the idea to improve it.

guna_pmk · 02-13-2012, 05:03 AM

Hi lucmove,

Thanks for your suggestion. I had this sort of solution in my mind originally; but had to give it up for the same reason you have explained.

Though I have mentioned here only about adding new user, I had a whole lot of other stuff to be performed additional to creating the user (of course all of them needed root access).

But, eventually, I have found the following solution:

1. Developed a script(call it my_script) that does what I wanted.
2. Developed an additional script (call it handler_script) that looks similar to the one below:

Code:

readonly PIPE="/tmp/comms_pipe"

# Create the pipe
if [[ ! -p $PIPE ]]; then
  mkfifo $PIPE
  # Set the permissions for the pipe, so that
  # web users can write to it
  setfacl -m u:apache:rwx $PIPE
fi

while true
do
  if read line <$PIPE; then
    if [[ "$line" == 'quit' ]]; then
      break
    fi
    ./my_script $line
  fi
done

In the above, my_script does all I want according to the parameters passed to it. This way I can control who can communicate to my script and what the user wants my_script to do. Now, I started handler_script as root (you can choose your convenient method - start as a service, run the process in the background etc.); this will wait for inputs from the pipe.

To perform something, from the web application, for example, in PHP, I may call the exec as:

Code:

exec("<path to handler_script> <arguments to my_script>",$output,$result);

This should perform the desired action.

All, please let me know if there is any security risk in this approach.

Thanks