Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!spool.mu.edu!uwm.edu!news-peer.gsl.net!news.gsl.net!news.mathworks.com!uunet!in3.uu.net!204.96.36.2!wizard.pn.com!news1.channel1.com!usenet From: hacksaw@user1.channel1.com Newsgroups: comp.unix.admin,comp.unix.bsd.misc Subject: Re: adduser Date: 04 Dec 1996 13:44:28 -0500 Organization: Raisins for Milk, Incomplete Lines: 34 Sender: hacksaw@gerbils.fe.com Message-ID: <x7hgm2kv3n.fsf@gerbils.fe.com> References: <5824sf$a6v@Masala.CC.UH.EDU> NNTP-Posting-Host: remote164.channel1.com X-WARNING1: Unsolicited E-mail from commercial sources or X-WARNING2: from people sending chain e-mail will be regarded X-WARNING3: as a solicitation for consultation, starting X-WARNING4: at $100.00 US an hour, 1 hour minimum. X-WARNING5: YOU HAVE BEEN WARNED! X-Newsreader: Gnus v5.3/Emacs 19.32 Xref: euryale.cc.adfa.oz.au comp.unix.admin:51305 comp.unix.bsd.misc:1667 yichen@hermes.cs.uh.edu ( Yi Chen ) writes: > > 1) Since adduser in BSDI is perl script, > After saving the original script, following are my actions > a) #!/usr/bin/perl was replaced by #!/usr/bin/suidperl in the script > b) chown to root > c) after typing Login name and hit return, I got following I think that path is "insecure" because it starts with a slash. Be able to twiddle with these things is a traditional way to hack into things. A better approach is to not bother with having a setuid script, instead using the script to call the appropriate program. In my adduser script, I call chpass to set up the account, and then passwd to set the passwd to something secure. That way, whatever security the system enforces through the use of these programs (such as shadowing or NIS) is taken care of as securely as possible. The logical caveat is that you must be root to create new users. However, there is a lot of good reasoning behind this idea. If you are reasonably sure of your security, you can make the appropriate programs setgid for the wheel group. But you shouldn't need setuid scripts. (IMHO :-) -- -####------------> Nipple!, Is qui iacit in hamas marsupiales. | Melior #### Rev. Irreverend Hacksaw, Omnibenevalent Polyparrot (ULC) | amans #### http://www.channel1.com/users/hacksaw/ | per #### <-- Tartan of the ScotchBrite Masons (Are you two of us?) | chemia