Discussion:
Using pw adduser to set password in a script
Jez Hancock
2003-07-01 06:12:49 UTC
Permalink
I'm attempting to use pw adduser to add a new user to the system and
would like confirmation that the following is the correct way to set
the user's password at the same time:

echo "password" | \
pw adduser -q -h - -u user -g group -s shell -d /home/user -c comment

Can anyone also tell me the security implications of doing this, given
that the command is executed from a within a script (actually php but
this is more-or-less irrelevant)?

Is there a better way to do this using file descriptors as described in
the man page for pw?:

-h fd This option provides a special interface by which interac-
tive scripts can set an account password using pw. Because
the command line and environment are fundamentally insecure
mechanisms by which programs can accept information, pw
will only allow setting of account and group passwords via
a file descriptor (usually a pipe between an interactive
script and the program). sh, bash, ksh and perl all pos-
sess mechanisms by which this can be done. Alternatively,
pw will prompt for the user's password if -h 0 is given,
nominating stdin as the file descriptor on which to read
the password. Note that this password will be read only
once and is intended for use by a script rather than for
interactive use. If you wish to have new password confir-
mation along the lines of passwd(1), this must be imple-
mented as part of an interactive script that calls pw.

If a value of `-' is given as the argument fd, then the
password will be set to `*', rendering the account inacces-
sible via password-based login.

Many thanks in advance,
Jez
--
Jez

http://www.munk.nu/
lewiz
2003-07-01 06:38:23 UTC
Permalink
Post by Jez Hancock
I'm attempting to use pw adduser to add a new user to the system and
would like confirmation that the following is the correct way to set
echo "password" | \
pw adduser -q -h - -u user -g group -s shell -d /home/user -c comment
I usually just add a user with pw, then use passwd to set a password.
That might be easier, not to mention looking (slightly) more elegant:

pw adduser -q -u user -g group -s shell -d /home/user -c comment
passwd user $passwd
Post by Jez Hancock
Can anyone also tell me the security implications of doing this, given
that the command is executed from a within a script (actually php but
this is more-or-less irrelevant)?
I don't know, but I'd check how PHP does logging -- you really want to
obfuscate your chosen method of setting the password, if it's gonna go
down in the log...

Sorry I can't help more,

-lewiz.
--
"I belong to no organized party. I am a Democrat."
-- Will Rogers
------------------------------------------------------------------------
-| msn:***@lewiz.net | jab:***@jabber.org | url:http://lewiz.net |-
Uwe Doering
2003-07-01 07:25:28 UTC
Permalink
Post by Jez Hancock
I'm attempting to use pw adduser to add a new user to the system and
would like confirmation that the following is the correct way to set
echo "password" | \
pw adduser -q -h - -u user -g group -s shell -d /home/user -c comment
Can anyone also tell me the security implications of doing this, given
that the command is executed from a within a script (actually php but
this is more-or-less irrelevant)?
[...]
Here is what I use:

echo 'password' | \
pw useradd -q -h 0 -n user -g group -s shell -d /home/user \
-c 'comment' -m

Note that feeding the password to 'pw' via the command line (with
'echo') is a security problem if you have untrusted users on that
machine, since they can see the password in the process list (with 'ps').

A better approach for automating account creation is to first store the
password (generated or given) in a file (with secure permissions, of
course) and then feed 'pw' from that file:

pw useradd -q -h 0 -n user -g group -s shell -d /home/user \
-c 'comment' -m < /path/to/file
rm -f /path/to/file

Hope that helps.

Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
***@geminix.org | http://www.escapebox.net
Jez Hancock
2003-07-01 08:38:53 UTC
Permalink
Hi Uwe,

Thanks for the reply.
Post by Uwe Doering
echo 'password' | \
pw useradd -q -h 0 -n user -g group -s shell -d /home/user \
o
Post by Uwe Doering
-c 'comment' -m
Note that feeding the password to 'pw' via the command line (with
'echo') is a security problem if you have untrusted users on that
machine, since they can see the password in the process list (with 'ps').
Aha.
Post by Uwe Doering
A better approach for automating account creation is to first store the
password (generated or given) in a file (with secure permissions, of
pw useradd -q -h 0 -n user -g group -s shell -d /home/user \
-c 'comment' -m < /path/to/file
rm -f /path/to/file
ah :) Cheers for that :)

The way I ended up doing it in PHP was:

/*
To add a user on FreeBSD:
echo "password" | pw adduser -q -u user -g group \
-s shell -d /home/user -c comment -h -

adds the user 'user' with primary group 'group',
shell 'shell', home dir '/home/user' with a comment 'comment'

This is pretty dodgy - the password is listed in ps output...

To do this from PHP though, we use popen to create a stream to the
command:
pw adduser -q -u user -g group \
-s shell -d /home/user -c comment -h 0

and then write the password to the file pointer created
by popen. This effectively adds the user to the passwd database
whilst at same time setting the password.

This saves listing the password in 'ps' listings.
*/

// adduser command:
$pw_cmd = $cfg['prog']['uadd']." ".$data["username"]
." -g g".$data["id"]
." -s $shell "
." -d ".$data["root"]
." -c ".$data["name"]
." -h 0";

// Open a uni-directional stream to the command:
$fp=popen($pw_cmd, "w");

// Execute the command, passing the $data["password"] to it:
fwrite($fp, $data["password"]);

// Close the pipe:
fclose($fp);

Which seems to be working just as required :)

Many thanks for the reply though, I probably would have gone with your
method had I not stumbled across the one I used above :)

Cheers,
Jez

Loading...