问题
I initially asked a question about how to create linux users via HTML (essentially the user registers via an HTML page which executes a server side PHP script which more or less issues the command shell_execute("adduser user"). But, since then, I have come to realize that the problem has to do with the Apache user.
The default apache user is www-data. This works fine most of the time, as you can assign files or folders to either the www-data user, or the www-data group. However, it complicates issues when you need root access. To create new linux users, I first tried something like this
shell_exec("ssh -v root@$server \"useradd --password `echo \"$password\" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'` -m $username\" ");
Even if I made public/private keys to allow passwordless entry from user www-data to root, I don't exactly know where to put these keys. It appears www-data has no home folder. The php command shell_exec("echo $HOME") or shell_exec("echo $USER") returns null/empty string. However, the command "shell_exec("whoami")correctly returns www-date. I tried other ways to discover the home folder, such asshell_exec("cd ~"), however, that caused an error. Is there some way of finding out where ssh searches, per user, when looking for public/private keys? I have so far tried/home/www-data/.ssh/and /var/www/.ssh.
Alternatively, I tried
shell_exec("echo root_password | sudo -S useradd --password `echo \"mypassword\" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'` -m rolo ");
But that complains that the root_password I used is incorrect. It appears user www-data has a different root password! In fact, I don't even know what its password is.
Can someone steer me in the right direction as to how I can resolve this issue. I need to be able to create linux users for every new person that registers.
Thanks
回答1:
shell_execute("adduser user")
This is scary, bad, dangerous
shell_exec("ssh -v root@$server
OMG - that's even worse!
It appears www-data has no home folder
really? What makes you think that? However the question is moot since, unless you are setting up a honeypot allowing root ssh access is not the way to solve the problem.
Assuming that you really, really need to create users from the webserver, the right way to do this would be:
- Create a wrapper around useradd which only takes a single paramter - the new username - to prevent abuse of the additional functionality exposed via adduser
- Make the script runnable as root via
sudowith no password (really, trying to 'hide' the password in your code doesn't really help with security). See theNOPASSWDtag for sudoers
Alternatively, set up a script via [x]inetd which reads a shared secret and a username from stdin and runs adduser as root, restrict connections to localhost and set up your PHP script to communicate with this via sockets.
回答2:
The previous answer worked for me. Specially the part about setting a password, with a salt encryption method.
回答3:
Use this on your /etc/sudoers. Example for run gconftool-2 :
www-data ALL=NOPASSWD: /usr/bin/gconftool-2
www-data ALL=NOPASSWD: /usr/bin/sudo
www-data ALL=NOPASSWD: ALL
来源:https://stackoverflow.com/questions/5713633/apache2-permission-problem