HiveBrain v1.2.0
Get Started
← Back to all entries
patternbashMinor

CGI script for managing Unix passwords

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
scriptunixmanagingcgipasswordsfor

Problem

All the services I run on my server are based on Unix accounts. Since most web services have their own users and perform all the account management separate from the actual system accounts, I created a CGI script that handles:

  • Changing passwords (requires old password)



  • Assigning contact info (requires password)



  • Request password reset (no passwords sent in email)



I've tried to use only system commands and no external scripts (aside from the one to get POST variables). The application is not run setuid, but permissions are required for sudo to run chpasswd.

I'm looking for any issues with sanitizing form data, how I'm using expect to input to system commands, etc. I know I can clean up the code a bit and refactor all the duplicate code. Basically I got the thing working and now and am looking for how to make it better before I start cleaning it up.

Code posted on Github

```
#!/bin/bash -
#===============================================================================
# Copyright (c) 2015 Jeff Parent
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# * Neither the name of the passwd.sh authors nor the names of its contributors
# may be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

Solution

One big flaw with this that hasn't been mentioned so far is that the way your script is written, it requires giving the web-server uid NOPASSWD sudo access to chpasswd.

This means that if there happens to be any other exploitable code on your web server that allows a script-kiddie to run arbitrary commands, they get unrestricted use of sudo chpasswd.

Instead of allowing access to chpasswd itself, give sudo access to a wrapper script around chpasswd that very strictly checks and sanitises its arguments. Your script above would then call, e.g., sudo /usr/local/bin/mychpasswdwrapper.sh

Context

StackExchange Code Review Q#105315, answer score: 4

Revisions (0)

No revisions yet.