Re: Scripts and passwd
Hi! On Sun, May 19, 2002 at 10:34:17AM +0200, Per Einar Ellefsen wrote: At 10:22 19.05.2002, [EMAIL PROTECTED] wrote: I have written scripts to add a user to the passwd and shadow files as well as sendmail user files. When I run this script from the command line for testing all runs and completes fine. But when I run the script from apache via the web interface I designed it for, I get file permission errors on the additions to passwd and the rest of the scripts. How can I get the script to access those files? You're doing something pretty risky there. the passwd/shadow files are only writable by root. So I suppose that when running them from the command line You could let the CGI(or mod_perl)-script write the new user info to a normal file writable by Apache, and then run a root-owned script (via a cronjob) that reads this file and then modifies the passwd/shadow file. Depending on the frequency of the updates, you might want to add file locking, and depending on the security of your whole system, you could add a MD5 checksum to each entry, so that nobody with access to your filesystem can add entries to the Apache-writable file. -- D_OMM + http://domm.zsi.at -+ O_xyderkes | neu: Arbeitsplatz | M_echanen | http://domm.zsi.at/d/d162.html | M_asteuei ++
Scripts and passwd
I have written scripts to add a user to the passwd and shadow files as well as sendmail user files. When I run this script from the command line for testing all runs and completes fine. But when I run the script from apache via the web interface I designed it for, I get file permission errors on the additions to passwd and the rest of the scripts. How can I get the script to access those files? Thanks!
Re: Scripts and passwd
At 10:22 19.05.2002, [EMAIL PROTECTED] wrote: I have written scripts to add a user to the passwd and shadow files as well as sendmail user files. When I run this script from the command line for testing all runs and completes fine. But when I run the script from apache via the web interface I designed it for, I get file permission errors on the additions to passwd and the rest of the scripts. How can I get the script to access those files? You're doing something pretty risky there. the passwd/shadow files are only writable by root. So I suppose that when running them from the command line you run them as root. Apache doesn't run as root (its children which serve the requests atleast), so mod_perl (I suppose you *are* using mod_perl? If not, this is more appropriate for another newsgroup) won't either. If you can run your script as CGI, you could use suEXEC. But really, really consider the security implications of what you're doing there before allowing users to trash your machine very fast... -- Per Einar Ellefsen [EMAIL PROTECTED]
Re: Scripts and passwd
Hello Thanks for the reply. Yes this server is running mod perl :) As for risky. Well the whole point of the script system is to add a pop mail box for a user. But in order to do this i have to do the following: add user to the passwd/shadow file add user to the virtusertable and genericstable recompile the sendmail config files Then and only then is the new mailbox ready for use. This is the only way I can think of to accomplish this via an automated web proccess. I dont even know if you can do it any other way with out touching the passwd/shadow files? Thanks! John. You're doing something pretty risky there. the passwd/shadow files are only writable by root. So I suppose that when running them from the command line you run them as root. Apache doesn't run as root (its children which serve the requests atleast), so mod_perl (I suppose you *are* using mod_perl? If not, this is more appropriate for another newsgroup) won't either. If you can run your script as CGI, you could use suEXEC. But really, really consider the security implications of what you're doing there before allowing users to trash your machine very fast... -- Per Einar Ellefsen [EMAIL PROTECTED]
Re: Scripts and passwd
You could migrate to a database based mail authentication solution. Postfix+cyrus springs to mind. Ric - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 19, 2002 9:56 AM Subject: Re: Scripts and passwd Hello Thanks for the reply. Yes this server is running mod perl :) As for risky. Well the whole point of the script system is to add a pop mail box for a user. But in order to do this i have to do the following: add user to the passwd/shadow file add user to the virtusertable and genericstable recompile the sendmail config files Then and only then is the new mailbox ready for use. This is the only way I can think of to accomplish this via an automated web proccess. I dont even know if you can do it any other way with out touching the passwd/shadow files? Thanks! John. You're doing something pretty risky there. the passwd/shadow files are only writable by root. So I suppose that when running them from the command line you run them as root. Apache doesn't run as root (its children which serve the requests atleast), so mod_perl (I suppose you *are* using mod_perl? If not, this is more appropriate for another newsgroup) won't either. If you can run your script as CGI, you could use suEXEC. But really, really consider the security implications of what you're doing there before allowing users to trash your machine very fast... -- Per Einar Ellefsen [EMAIL PROTECTED]
Re: Scripts and passwd
[EMAIL PROTECTED] wrote: Hello Thanks for the reply. Yes this server is running mod perl :) As for risky. Well the whole point of the script system is to add a pop mail box for a user. But in order to do this i have to do the following: add user to the passwd/shadow file add user to the virtusertable and genericstable recompile the sendmail config files Then and only then is the new mailbox ready for use. This is the only way I can think of to accomplish this via an automated web proccess. I dont even know if you can do it any other way with out touching the passwd/shadow files? You probably want this article: Safely Empowering Your CGI Scripts by Lincoln D. Stein http://www.samag.com/documents/s=1286/sam03020006/ __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: Scripts and passwd
On Sun, May 19, 2002 at 03:56:43AM -0500, [EMAIL PROTECTED] wrote: As for risky. Well the whole point of the script system is to add a pop mail box for a user. But in order to do this i have to do the following: add user to the passwd/shadow file add user to the virtusertable and genericstable recompile the sendmail config files Then and only then is the new mailbox ready for use. This is the only way I can think of to accomplish this via an automated web proccess. I dont even know if you can do it any other way with out touching the passwd/shadow files? If all you want to do is give out POP3 mailboxes, you can accomplish this by doing something at the MTA (Mail Transport Agent, aka mail server) level. For example, installing qmail (http://www.lifewithqmail.org/lwq.html) with qmail-pop3d [note: qmail replaces sendmail] and VMailMgr (http://www.vmailmgr.org/). Under this configuration, adding a new POP3 mailbox would involve just changing files owned by a normal user of the system (instead of root). Advantages of my solution: - Increased security. Everything in your mailbox system would be owned by an unpriviledged user of the system rather than root. - qmail/Maildir is generally higher performance than sendmail/mbox. Disadvantages of my solution: - You have to replace sendmail with qmail and relearn some stuff. Be prepared to spend a few hours figuring stuff out. You could migrate to a database based mail authentication solution. Postfix+cyrus springs to mind. The above is also a valid way to do it, with similar advantages and disadvantages as my solution. (Postfix replaces sendmail.)
Re: Scripts and passwd
I dont even know if you can do it any other way with out touching the passwd/shadow files? Do you run this for internet or your intranet accounts ? If for internet, try something different (e.g. Courier/IMAP.) If for intranet, and if you have to stay with Pop3, there is no way but to touch the password file. If you don't mind a web-based mail, a possible solution may like this: 1) set up a normal web-based membership service; 2) write a mail filter; 3) catch every email and check if the recipient is in your database, (yes) ? move the mail to the DB : normal mailbox. Well, I think someone's in this maillist may have already such a system and can share their experience. On the other hand, while this has a lot to do with Perl, it has little with mod_Perl. Peter - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 19, 2002 1:56 AM Subject: Re: Scripts and passwd Hello Thanks for the reply. Yes this server is running mod perl :) As for risky. Well the whole point of the script system is to add a pop mail box for a user. But in order to do this i have to do the following: add user to the passwd/shadow file add user to the virtusertable and genericstable recompile the sendmail config files Then and only then is the new mailbox ready for use. This is the only way I can think of to accomplish this via an automated web proccess. I dont even know if you can do it any other way with out touching the passwd/shadow files? Thanks! John. You're doing something pretty risky there. the passwd/shadow files are only writable by root. So I suppose that when running them from the command line you run them as root. Apache doesn't run as root (its children which serve the requests atleast), so mod_perl (I suppose you *are* using mod_perl? If not, this is more appropriate for another newsgroup) won't either. If you can run your script as CGI, you could use suEXEC. But really, really consider the security implications of what you're doing there before allowing users to trash your machine very fast... -- Per Einar Ellefsen [EMAIL PROTECTED]
Re: Scripts and passwd
Courier-IMAP comes with a POP server too. Plus there are Perl scripts so you can manage mail users out of a DB..no need to touch system passwd files. Might be fairly easy to convert these to a mod_perl setup. Plus you can take advantage of the goodness of qmail, Maildirs, and daemontools http://inter7.com/courierimap/ - Original Message - From: Peter Bi [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, May 19, 2002 12:46 PM Subject: Re: Scripts and passwd I dont even know if you can do it any other way with out touching the passwd/shadow files? Do you run this for internet or your intranet accounts ? If for internet, try something different (e.g. Courier/IMAP.) If for intranet, and if you have to stay with Pop3, there is no way but to touch the password file. If you don't mind a web-based mail, a possible solution may like this: 1) set up a normal web-based membership service; 2) write a mail filter; 3) catch every email and check if the recipient is in your database, (yes) ? move the mail to the DB : normal mailbox. Well, I think someone's in this maillist may have already such a system and can share their experience. On the other hand, while this has a lot to do with Perl, it has little with mod_Perl. Peter - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 19, 2002 1:56 AM Subject: Re: Scripts and passwd Hello Thanks for the reply. Yes this server is running mod perl :) As for risky. Well the whole point of the script system is to add a pop mail box for a user. But in order to do this i have to do the following: add user to the passwd/shadow file add user to the virtusertable and genericstable recompile the sendmail config files Then and only then is the new mailbox ready for use. This is the only way I can think of to accomplish this via an automated web proccess. I dont even know if you can do it any other way with out touching the passwd/shadow files? Thanks! John. You're doing something pretty risky there. the passwd/shadow files are only writable by root. So I suppose that when running them from the command line you run them as root. Apache doesn't run as root (its children which serve the requests atleast), so mod_perl (I suppose you *are* using mod_perl? If not, this is more appropriate for another newsgroup) won't either. If you can run your script as CGI, you could use suEXEC. But really, really consider the security implications of what you're doing there before allowing users to trash your machine very fast... -- Per Einar Ellefsen [EMAIL PROTECTED]