2

I have a web app that runs as a non-privileged user that needs to create linux accounts.

I'd prefer not to run it as root, so the only scheme I think of is to create a simple C suid program that takes one argument and runs adduser to create the accounts. As an added security, this program will be 700 to the user account that runs the web app.

Any other ideas/approaches to do this?

Dror
  • 241
  • 2
  • 4
  • See: http://www.sudo.ws/sudoers.man.html – Zoredache Dec 19 '12 at 01:04
  • Do you really need to create an actual local system account? You might want to look at creating accounts in an LDAP directory, or of some sort database. Then point any required services at the directory/database, or setup PAM to point at the directory/databases. – Zoredache Dec 19 '12 at 01:07

2 Answers2

2

Have the website call a protected script using the sudo utility to get root privs only when necessary.

mdpc
  • 11,698
  • 28
  • 51
  • 65
  • I don't think sudo buys you much in a web app since it's not interactive. In other words, either you store the password or not require it in both cases, very little added security. – Dror Dec 18 '12 at 23:28
  • Not really, you can allow a selected script or set of commands to be called without having to enter a password. Look and the man page for sudo ... esp the NOPASSWD: option. – mdpc Dec 18 '12 at 23:35
  • I know about sudo with no password. That's why I said " you store the password or not require it." Say I'm running this as user "webapp". If someone manages to hack that account, and it has sudo root capabilities with no password, it's game over. I guess I could set up sudo to only allow running adduser command. Sounds similar to my original idea, but has the advantage that it's built on sudo. – Dror Dec 18 '12 at 23:49
  • @Dror In the case of `sudo` though, the use of sudo is logged with the rest of the security/authorization logs so it can be tracked. – DerfK Dec 18 '12 at 23:52
  • How would your SUID C application be different then sudo other then fact that sudo source has been extensively reviewed by the security community? You do realize you can set an sudo config that permits root access to a single command right? – Zoredache Dec 19 '12 at 01:02
  • @Zoredache agreed. That's what I meant when I said "Sounds similar to my original idea, but has the advantage that it's built on sudo." The one advantage of writing a custom suid program is that I can build in some special hooks. – Dror Dec 19 '12 at 02:31
0

If you do not need instant account creation, and an approximate 1 min delay is acceptable, you can use the following idea.

  1. There should be 2 directories writable by web app : www-tmp, www-job

  2. Each time web app receives a create account request, it will create a file in directory web-tmp. Then move the file to web-job. The reason not to create the file directly in www-job is to prevent the cron job(see next step) from reading an incomplete file.

  3. Create a cron job that has the required permission, run every minute. Every time it runs, it will process all files in www-job, creating the accounts, then delete the files. Keep checking and processing till www-job is empty. Use pid lock to prevent parallel run.

With the above flow, your web app does not need any additional permission.

Web app is order desk. Cron job is production line. www-job is the queuing area. Different departments, different permissions.

Database table can be used instead of file/directory for queuing.

PS: Your cron job, no matter bash, php or perl, should do the final check before passing the argument to a system call.

Username should contain only alpha(all lower or upper case if you want case insensitive usename) numeric, maybe with the addition of period(.).

For password, check for minimum length. Make sure (double check, triple test) script is passing it as one string to the system call, AND the system call is taking it in as one string.

John Siu
  • 3,577
  • 2
  • 15
  • 23