3

1) I'm struggling to find a secure way to allow new users to create accounts without granting them admin rights to do so. If you already have an account on my system and can work UNIX command line, then you can use programs such as puTTY to access it. I'm currently making a program that lets you visually transfer files back and forth, with a layout similar to dropbox. However, I'd like to add a "Create new user" feature and I'm not sure how to securely do it.

Sure, I can have the program execute something like "sudo adduser jim" and supply the sudo password, but this would require me to include an administrative password within the jar file. I know there are obfuscation programs out there, but it doesn't necessarily make it more secure. I'd prefer to create users with ssh, but I'm open to whatever works and is secure.

2) I just thought of something. What if I created an administrative user with a their sudo ability limited to only creating new users? Does this sound like a reasonably secure solution? If so, how should I go about doing this? If not, what are the cons of this method?

EDIT: This is my solution so far: assuming I have sanitized inputs I'll make a script that will take the first argument as a username, and the second as the password, then set it's permissions (setuid bit) to be non-writable, and when non-root accounts run it, they are allowed to run this and ONLY this with root privileges. Here is the most basic code so far:

adduser --disabled-password --gecos "" "$1"
echo "$1":"$2" | chpasswd

What do you think? How do you think I can improve it?

Improve this question
3
  • 1
    Ever heard of the setuid bit? Commented Aug 30, 2013 at 22:47
  • Somewhat, but thank you for mentioning this. I looked into it and it definitely helped me figuring out how permissions work Commented Aug 31, 2013 at 1:35
  • Make sure to put your $1 and $2 in quotes. "$1" "$2" Commented Aug 31, 2013 at 20:25

2 Answers 2

Reset to default
2

If your only problem with sudo is having to use a password, you can add the NOPASSWD tag in your sudoers file. You want

some_user ALL = (ALL) NOPASSWD:/path/to/adduser
Improve this answer
8
  • well this will definitely help me to keep admin passwords out of the .jar, but the problem is I'm trying to limit the users' rights to ONLY be able to use 'adduser' Commented Aug 30, 2013 at 23:07
  • @Blake and this will do just that. Commented Aug 30, 2013 at 23:09
  • This will really allow users to execute the command without supplying admin password AND restrict every other sudo command? If so then I would just need to concat this onto the end of sudoers file, right? Commented Aug 30, 2013 at 23:15
  • 1
    I like the idea, but ultimately I wouldn't do this for reason that you can't do any filtering/sanitizing. For example, the adduser executable has a -u switch that let's you specify the user ID of the new account. If you don't restrict this, users can create new users with the same UID as an existing user, which means they've hijacked the account. It would be possible to specify your UID to 0, and become root! Ex: sudo adduser -u 0 -o newRoot Commented Aug 30, 2013 at 23:26
  • 1
    You must allow only your own program through sudoers, not the system's adduser or useradd or whatever. Your program will sanitize its input and run adduser only with safe arguments. Commented Aug 31, 2013 at 9:41
1

There are a number of ways to go about this, but I would write a small program or script that takes in the user info and runs adduser. The program would be owned by root, with the setuid bit set.

Keep it as simple as possible. If you don't sanitize your input properly, you could have a security hole. Adding users to a system is dangerous business anyway. The nice thing about this strategy though is that your whole executable doesn't need to run as root, just the script/program that adds the user.

EDIT:

As far as santizing input, the way you do this depends on how you implement the program. If you write it in C, use the execve() function instead of system(). There is a great doc with examples of sanitize fails that become exploitable over at CERT. If you're writing in Python, prefer the subprocess module to system() for similar reasons.

I would sanitize by stripping out any characters that are not letters or numbers, unless you have a specific need. Are the users creating passwords? If so, that makes it more difficult. The key is that you don't want them to be able to pass any special characters to the shell or program being called that have special meaning. For bash some obvious are $, ;, &&. For mysql you would want to prevent at a minimum ', ", and ;.

Unfortunately sanitizing can be a difficult task. If you can enumerate all values that your users may need to use, then I would suggest using a whitelist.

Improve this answer
3
  • could you please elaborate on 'sanitizing input'? Commented Aug 30, 2013 at 23:08
  • @Blake see updated answer. Sorry I can't be more concrete Commented Aug 30, 2013 at 23:18
  • The description you gave is very well written. Yes, the script would need to be able to assign passwords, so I'll check for these characters in the executable jar as well as the script. Commented Aug 30, 2013 at 23:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.