From owner-freebsd-questions@FreeBSD.ORG Mon Jun 30 23:12:50 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAF8737B401 for ; Mon, 30 Jun 2003 23:12:50 -0700 (PDT) Received: from munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 115BE43FE1 for ; Mon, 30 Jun 2003 23:12:50 -0700 (PDT) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.20) id 19XENl-000PgK-IA for freebsd-questions@freebsd.org; Tue, 01 Jul 2003 07:12:49 +0100 Date: Tue, 1 Jul 2003 07:12:49 +0100 From: Jez Hancock To: FreeBSD questions List Message-ID: <20030701061249.GA98559@users.munk.nu> Mail-Followup-To: FreeBSD questions List Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Using pw adduser to set password in a script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 06:12:50 -0000 I'm attempting to use pw adduser to add a new user to the system and would like confirmation that the following is the correct way to set the user's password at the same time: echo "password" | \ pw adduser -q -h - -u user -g group -s shell -d /home/user -c comment Can anyone also tell me the security implications of doing this, given that the command is executed from a within a script (actually php but this is more-or-less irrelevant)? Is there a better way to do this using file descriptors as described in the man page for pw?: -h fd This option provides a special interface by which interac- tive scripts can set an account password using pw. Because the command line and environment are fundamentally insecure mechanisms by which programs can accept information, pw will only allow setting of account and group passwords via a file descriptor (usually a pipe between an interactive script and the program). sh, bash, ksh and perl all pos- sess mechanisms by which this can be done. Alternatively, pw will prompt for the user's password if -h 0 is given, nominating stdin as the file descriptor on which to read the password. Note that this password will be read only once and is intended for use by a script rather than for interactive use. If you wish to have new password confir- mation along the lines of passwd(1), this must be imple- mented as part of an interactive script that calls pw. If a value of `-' is given as the argument fd, then the password will be set to `*', rendering the account inacces- sible via password-based login. Many thanks in advance, Jez -- Jez http://www.munk.nu/