Date: Tue, 5 Aug 1997 02:22:41 -0700 (PDT) From: "Bryan K. Ogawa" <bkogawa@primenet.com> To: rewt@i-Plus.net Cc: <security@FreeBSD.ORG> Subject: Re: SetUID Message-ID: <199708050922.CAA14803@foo.primenet.com> References: <> <199708050642.CAA19412@radford.i-plus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In localhost.freebsd.security you write: >Ok, this SetUID thread has brought a question to mind. >I'm the sysadmin for a small ISP, and have created a perl script for user >management. The script is basically a menu with options to create/delete/di >sable/enable accounts and change passwords. I've got safeguards in place >that will only allow user accounts to be modified. >In my script, I'm using: >- hacked up code from /usr/bin/adduser to create accounts >- a call to /usr/sbin/pw to disable and delete accounts >- a call to /usr/bin/passwd to change user passwords and re-enable >accounts Depending on how you call the above, they may or may not show info (say, the account's password) in the ps listings. Another thing you can do if you don't trust the staff (or the security of the staff's accounts) is to run perl in taint mode (-t , I believe). Then, perl will become paranoid and refuse to do a lot of things which may potentially be unsafe. >My staff is allowed to run this script using the sudo utility, and all >seems to work well. The script itself is owned by root, and has 0500 for >permissions, and is using /usr/local/bin/perl (perl 5.003) as the >interpreter. >Is this safe? Is there anything I should watch out for? >Any comments/suggestions are welcome. I'm willing to share my script if >anyone is willing to suffer through poor coding :^) >Troy Settle <st@i-Plus.net> >Network Administrator, iPlus Internet Services >http://www.i-Plus.net -- bryan k ogawa <bkogawa@primenet.com> http://www.primenet.com/~bkogawa/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708050922.CAA14803>