*BSD News Article 84196


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!spool.mu.edu!uwm.edu!news-peer.gsl.net!news.gsl.net!news.mathworks.com!uunet!in3.uu.net!204.96.36.2!wizard.pn.com!news1.channel1.com!usenet
From: hacksaw@user1.channel1.com
Newsgroups: comp.unix.admin,comp.unix.bsd.misc
Subject: Re: adduser
Date: 04 Dec 1996 13:44:28 -0500
Organization: Raisins for Milk, Incomplete
Lines: 34
Sender: hacksaw@gerbils.fe.com
Message-ID: <x7hgm2kv3n.fsf@gerbils.fe.com>
References: <5824sf$a6v@Masala.CC.UH.EDU>
NNTP-Posting-Host: remote164.channel1.com
X-WARNING1: Unsolicited E-mail from commercial sources or
X-WARNING2: from people sending chain e-mail will be regarded
X-WARNING3: as a solicitation for consultation, starting
X-WARNING4: at $100.00 US an hour, 1 hour minimum.
X-WARNING5: YOU HAVE BEEN WARNED!
X-Newsreader: Gnus v5.3/Emacs 19.32
Xref: euryale.cc.adfa.oz.au comp.unix.admin:51305 comp.unix.bsd.misc:1667

yichen@hermes.cs.uh.edu ( Yi Chen ) writes:

> 
> 1) Since adduser in BSDI is perl script, 
>    After saving the original script, following are my actions  
>    a) #!/usr/bin/perl was replaced by #!/usr/bin/suidperl in the script
>    b) chown to root
>    c) after typing Login name and hit return, I got following

I think that path is "insecure" because it starts with a slash. Be
able to twiddle with these things is a traditional way to hack into
things.

A better approach is to not bother with having a setuid script,
instead using the script to call the appropriate program. In my
adduser script, I call chpass to set up the account, and then passwd
to set the passwd to something secure. That way, whatever security the
system enforces through the use of these programs (such as shadowing
or NIS) is taken care of as securely as possible.

The logical caveat is that you must be root to create new
users. However, there is a lot of good reasoning behind this idea.

If you are reasonably sure of your security, you can make the
appropriate programs setgid for the wheel group.

But you shouldn't need setuid scripts.

(IMHO :-)
-- 
-####------------> Nipple!, Is qui iacit in hamas marsupiales.  | Melior
 ####  Rev. Irreverend Hacksaw, Omnibenevalent Polyparrot (ULC) | amans
 ####            http://www.channel1.com/users/hacksaw/         |  per
 #### <-- Tartan of the ScotchBrite Masons (Are you two of us?) | chemia