I do this on a couple of servers. Don't use PHP, use an external scripting language via suEXEC CGI so that scripts run with different UID permission to the main http server - run a seperate http process on a different port if you have to. Then setup sudo so that the UID the script runs as can only run useradd (or whatever) - I use a /etc/sudoers config like this: usercode hostname = NOPASSWD: /usr/local/admin/restart_qmail.sh, \ /usr/local/admin/restart_apache.sh, \ /usr/local/admin/restart_bind.sh, \ /usr/local/admin/chpass.pl, \ /usr/local/admin/makeuser.sh Then, even if you do bugger up the scripts, and somebody gets control of them, worse they'll be able to do as root whatever you've given them access to. Cheers Si On Wed, Oct 03, 2001 at 01:05:11PM +1200, John Lynch said:
Hi people, I am trying to write some php3 code to add dialup users to the unix passwd file, I am issuing the system command to run useradd , this didn't work because you need root permissions to running the command, so I thought, hmm i'll just build a wrapper and run it suid root (probable very bad, but anyway..) Now the wrapper get's the error cannot get file lock on /etc/passwd. Any tips on why this might be happening or a better way to solve to problem would be much appreciated.
John Lynch System Administrator (string and tape specialist) Wise Net
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog