patternbashMinor
CGI script for managing Unix passwords
Viewed 0 times
scriptunixmanagingcgipasswordsfor
Problem
All the services I run on my server are based on Unix accounts. Since most web services have their own users and perform all the account management separate from the actual system accounts, I created a CGI script that handles:
I've tried to use only system commands and no external scripts (aside from the one to get POST variables). The application is not run setuid, but permissions are required for
I'm looking for any issues with sanitizing form data, how I'm using
Code posted on Github
```
#!/bin/bash -
#===============================================================================
# Copyright (c) 2015 Jeff Parent
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# * Neither the name of the passwd.sh authors nor the names of its contributors
# may be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- Changing passwords (requires old password)
- Assigning contact info (requires password)
- Request password reset (no passwords sent in email)
I've tried to use only system commands and no external scripts (aside from the one to get POST variables). The application is not run setuid, but permissions are required for
sudo to run chpasswd.I'm looking for any issues with sanitizing form data, how I'm using
expect to input to system commands, etc. I know I can clean up the code a bit and refactor all the duplicate code. Basically I got the thing working and now and am looking for how to make it better before I start cleaning it up.Code posted on Github
```
#!/bin/bash -
#===============================================================================
# Copyright (c) 2015 Jeff Parent
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# * Neither the name of the passwd.sh authors nor the names of its contributors
# may be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
Solution
One big flaw with this that hasn't been mentioned so far is that the way your script is written, it requires giving the web-server uid NOPASSWD sudo access to
This means that if there happens to be any other exploitable code on your web server that allows a script-kiddie to run arbitrary commands, they get unrestricted use of
Instead of allowing access to
chpasswd.This means that if there happens to be any other exploitable code on your web server that allows a script-kiddie to run arbitrary commands, they get unrestricted use of
sudo chpasswd.Instead of allowing access to
chpasswd itself, give sudo access to a wrapper script around chpasswd that very strictly checks and sanitises its arguments. Your script above would then call, e.g., sudo /usr/local/bin/mychpasswdwrapper.shContext
StackExchange Code Review Q#105315, answer score: 4
Revisions (0)
No revisions yet.