2

I am using a customized Redmine installation to manage projects. I have managed to hook the addition of new users and send the login information to a bash script I have. Below is my script:

#!/bin/sh
UNAME=$1
UPASS=$2
wall "$UNAME $UPASS"
useradd "$UNAME"
echo "$UPASS" | passwd "$UNAME" --stdin
usermod -g restricted "$UNAME"

Echo is a bash builtin so it will not show up in the process table when it shoots the password in. The problem is that I get a permission complaint from Redmine:

/opt/rms/redmine/new-user: line 5: /usr/sbin/useradd: Permission denied
Only root can do that.
/opt/rms/redmine/new-user: line 7: /usr/sbin/usermod: Permission denied

This obviously indicates that I need root permission or another method of doing this. So I attempted to set the UID bit with permissions 4755 on the file so it runs as root, and I get the same error as above. Any idea what is going on here?

My general situation is I aim to add new users to the project management system automatically as linux users, and then when they are added to a certain group I plan to hook it so that they get extended permissions that lets them access a Mercurial repository via SSH - so user management is handled completely via the front end.

030
  • 5,901
  • 13
  • 68
  • 110
Joshua Enfield
  • 3,454
  • 8
  • 42
  • 59

2 Answers2

5

Due to the limited information, I am not going to theorize in detail as to the potential security implications of your architecture. However, I would be especially cautious about granting the ability to add users to a non-root user.

With that said, I would discourage the use of the SUID bit for that purpose. If nothing else, because it introduces additional exposure to every user on the system. Meaning, every user could potentially add users.

As an alternative, you could configure sudo to allow the non-root user to run usermod. For example, run visudo and add this line:

redmineuser ALL=NOPASSWD: /usr/sbin/usermod

Warner
  • 23,756
  • 2
  • 59
  • 69
  • That did the trick. What exactly is the problem with being able to add new users? Aside from making a messy collection of users? I plan on denying any SSH via DenyUsers in sshd, and denying su to all users except a couple privileged accounts. SSH will be turned on when they are added to the special group, which can only be done by an administrator in the system. It does make me nervous, but I would really like to make things easy for the maintainers. This server is internal, so I want to give my users usability over constriction. – Joshua Enfield Jul 12 '10 at 19:55
  • Use `/sbin/nologin` or `/bin/false` as shell too. – Warner Jul 12 '10 at 20:04
0

From man wall:

Wall displays the contents of file or, by default, its standard input, on the terminals of all currently logged in users.

Why would you want to broadcast a username and password to everyone who's logged in?

Echo is a bash builtin so it will not show up in the process table when it shoots the password in.

However, you're passing the password as an argument to this script making that point moot.

If you're concerned about the security of whether echo shows up in ps output, you should be concerned about other things as well like the command-line argument issue and that SETUID on useradd and broadcasting passwords are bad ideas.

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151