>> Tired of adding/deleting users manually..I am writing my own perl scripts
to
>> automate the tasks for me...this I do by directly writing to the passwd
and
>> shadow files...(because I do not want to use Expect in the perl code)..It
>> works great and has eased my admin tasks to an extent..
>
>What's wrong with adduser and userdel?
I would have to second that .. why not just system() out and run one of
them?
They would certainly take care of a lot more than you may realise ..
Now, more specific to that example cgi.... what the hell is that supposed to
be?
1. There is no sanity checking on variables, so i'm assuming you trust
whoever uses it...
2. god only knows why you parse your own form data, when AFAIK CGI.pm is
standard shipping with perl ..
3. Home directories in / ? What a mess.
4. You don't check the return value of useradd ..
5. You don't separate the arguments to system()
6. variable interpolation in a regexp is, in itself a security risk ..
getting back to sanity checking..
> foreach $line (@userlist) {
> if ($line =~ /.*$username.*/i) {
> $name = "user exists";
> &exit($name);
> }
> }
7. shouldn't that be =~ /^$username:/ .. and it IS CasE-SenSitivE!
someone needs to go have a good read of man perlsec i think. all someone has
to do is type a username of:
test; rm -Rf /;
OR
@{[ system(\"rm -Rf /\") ]}
and you'll have an unhappy day.
I hope noone has that sitting SUID on their box.
--
Iain Wade - Optus Internet
Email: [EMAIL PROTECTED]
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.