From owner-freebsd-questions@FreeBSD.ORG Tue Jul 1 00:25:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AB9F37B401 for ; Tue, 1 Jul 2003 00:25:42 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD2EC4400F for ; Tue, 1 Jul 2003 00:25:41 -0700 (PDT) (envelope-from gemini@geminix.org) Received: from pd958784b.dip.t-dialin.net ([217.88.120.75] helo=geminix.org) by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19XFWA-000Cv4-00; Tue, 01 Jul 2003 09:25:34 +0200 Message-ID: <3F013768.8070407@geminix.org> Date: Tue, 01 Jul 2003 09:25:28 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030510 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jez Hancock References: <20030701061249.GA98559@users.munk.nu> In-Reply-To: <20030701061249.GA98559@users.munk.nu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD questions List Subject: Re: Using pw adduser to set password in a script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 07:25:42 -0000 Jez Hancock wrote: > I'm attempting to use pw adduser to add a new user to the system and > would like confirmation that the following is the correct way to set > the user's password at the same time: > > echo "password" | \ > pw adduser -q -h - -u user -g group -s shell -d /home/user -c comment > > Can anyone also tell me the security implications of doing this, given > that the command is executed from a within a script (actually php but > this is more-or-less irrelevant)? > [...] Here is what I use: echo 'password' | \ pw useradd -q -h 0 -n user -g group -s shell -d /home/user \ -c 'comment' -m Note that feeding the password to 'pw' via the command line (with 'echo') is a security problem if you have untrusted users on that machine, since they can see the password in the process list (with 'ps'). A better approach for automating account creation is to first store the password (generated or given) in a file (with secure permissions, of course) and then feed 'pw' from that file: pw useradd -q -h 0 -n user -g group -s shell -d /home/user \ -c 'comment' -m < /path/to/file rm -f /path/to/file Hope that helps. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net