May 6th, 2003 10:41 PM
Guidence wanted in how to automate adding users
I was woundering if someone can help guide me. Ive set up and configured a http server and ftp server. With that I configured php. I realy just want guidence on this question not spoon feeding. I have set up a web server and ftp server. With that i configured php and learned how to make my own php scripts. Here is what I want guidence in
senerio: Ive set up my own server and now want to host for others. So I make a form for people to sign up. To be secure I use SSL3, the form gets processed by the php script I have writen. Now useing the username and pass I want to have my script add the users acount to the server, instead of me manualy haveing to go to my administration interface and add in the acount. I want it to be autmated. Simulary the user will want a way to upload files, so I set up a ftp server, but the same problem arises. I would have to manualy enter the user into an acount, but I want this to be automated with a php script.
Im comterable writeing php. I have been google searching and searcing the forms here, I desided to experiment and I looked in the directory for my FTP server and found a file users.pro and when opened I found that it contained all the user acount info includeing the password in plain text. So ive desided not to use the ftp server, but I could just as easily write a php script to write the binary data to the file by just imitateing the format that the other acounts are in. But is there a easyer way. I looked at some comerical ftp server software and none of which seem to have a feature built in to make the process of automateing adding users. So I was thinking, is the only way to automate this process a mater of trial and error, finding the file that stores acount info and adding the info yourself.
If the file was encripted I would need to know the encription used so I can also encript the data.
What I want is, can someone guide me as to how I would go abouts this. i.e. just trial and error, playing with user setting files, or is there a simpler method I am over looking?
Anything that can guide me in the right direction would be apreciated.
May 7th, 2003 01:13 PM
For adding a user to a UNIX system, all that really needs to happen is a new entry in the password file. You don't have to use useradd or adduser to create this entry, you just have to know what the next available userid would be. You could easily write a subroutine in PHP that parses through the password file, and finds the next available UID and simply appends a new line to the end of the file. A couple other things that the useradd and adduser programs do, however, is create the new user's home directory, copy the startup files from /etc/skel, create an entry in /etc/group for the user, and set the password. A PHP script could do all of this. Even creating a new password can be done without using the interactive mode using the passwd program, although you may need to encrypt the password you receive on the webpage using some kind of symmetrical key based encryption algorithm like blowfish so that you can decrypt the password on the system and encrypt it again using the system's crypt() function for the system password files.
I'm afraid I don't have too much expertise with FTP servers, but configuring those doesn't appear to be too difficult. Examine the man pages for the binaries to add users. Look for switches that allow you to operate outside of interactive mode. I'm sure there are some available. If you cannot find them, read what the binaries are doing exactly, and you can probably mimic it. If the result is binary data, you may be able to pack the data using PERL so that it's readable by the FTP server. I wish I could offer more specific help on this one, sorry.
Good luck with your project!
Another quick thought. Another thing you might want to try is when creating the user on the system, you could initially set their shell to a custom-built shell that would kickstart the FTP binary for adding users and then reset their shell to a system shell. This would force them to add themselves to the FTP system first, and then re-login with the new shell. Understand that this idea is off-the-cuff, and you would need to explore the frailties of the FTP binary before implementing this. If the binary is weak security-wise, you could write a wrapper script to feed the binary from standard input. Just another thought.
/* You are not expected to understand this. */
May 7th, 2003 08:32 PM
Thank you, being on Windows I forgot to mention it should be simular. I emailed the company KeyFocus for more information on their internal language and they directed me to where I could download the source code for my administration page, Ive been reading this through the night, it looks very simular to php syntax, they call it kfl language. I read up about SSL as you mention about ecripting transmited data ive hered of ssl so I read up on it last night and they are going to get back to me on how I can get a certificate sign request from my server. They have a 30 day trial.
You mention blowfish which I have hered about, so im gona read about that too. Maybe instead of SSL if my server dont suport that I can try a blowfish, anything to secure. My idea is to just set up a small system that will not be public because im doing this just for my learning process. Its already becomeing an interesting project.
You have given me some more ideas and now I have some direction, I thank you for these ideas, well Im off to do some reading, First thing im gona try is to get a web site added without the use of the admin page.
Thanks so much.
May 7th, 2003 10:57 PM
From my understanding, what you want to do is create a system account from a PHP script? This is not something which should be done lightly, but it can be done safely with care.
I'm not totally sure how to do it on Windows. However, regardless of whether you are on Windows or Unix, you will need to obtain Administrator / root privileges to create a new account (maybe on Windows you get get away with slightly less, but maybe not)
Normally PHP scripts run under a low privilege user and hence will not be able to do things like creating new system accounts.
Therefore, I suggest that you employ a small dedicated web site / web server that runs under a more privileged user just for the purposes of account creation (run all the other web sites under a normal user). The method of doing this is system and web server specific. Seeing as you haven't specified what OS and what web server, I cannot help you here.
To actually create the accounts, I suggest you execute a system command with system(). On Unix-like systems this is typically a matter of running useradd with the appropriate parameters. On NT systems you can use "net user".
Be very careful with the filesystem permissions when doing this, to ensure that no unprivileged user can write to any of the files or directories which are used by the registration system otherwise they will be able to get root.
Once you can add system users, your FTP server will presumably pick them up automatically. You might need to do other privileged operations at the same time (for example: Create home directories, setup quotas)
You will want to set your FTP server up so that it only gives users access to their home directories probably.
May 8th, 2003 04:14 AM
The operating system is Win98 and server being KeyFocus Web Server www.keyfopcus.net the server is actualy quite easy to use because I dont have to open any config script to make changes I just log into my admin page and I can add sites, delete sites, change settings. In windows 98 I have the FAT32 file system without any file permisions. Im not quite sure how the server handles file permisions but looks like I should find out. I do know that there are file permisions as I can assign a site to say a directory site1 withing my htdocs. I can then set a realm or group of access users or choose the realm FreeForall. The realm is a group of users which are alowed access, then I can assign any realm i want to a directory and then assign the directory to the site.
I was reading up on it and a email I got back from keyfocus sugested I download the free source code the the administration. Its strange how it works but its a simular language to php they call kfl and they use this to make a script, then it is compiled into binary code as a *.ckf file. So this makes me think that its all internal to the server hard coded somehow. But when I read through it last night seemed to be
Seems there are alot of internalm functions they hard coded. I did find a function definition for showEditRealmUserForm, it apeard to display the form, format the input, then store it into the config file. This seems simple enough for me to copy. But for the FTP server im not so sure. Its called Cerberus FTP server, It has a GUI interface too, where I can use the buttons and fields to add delete users. And also seems to have some way of seting file and folder permsions. The file I found users.pro seemed to contain all the users information includeing root directory, user name, password. plain text for the password. So I was thinking of useing php to maybe fopen(), fwrite()
$showml = showEditRealmUserForm("");
Im somewhat familiar with the system() function in php. I can understand the idea behind it. I guessing that because im on windows useing a gui interface things are difernt then would be in linux or unix.
To help me understand I like to compare to this site, antionline. Say they use papache, and it uses a httpd.config file. My config is controled by the admin page I access through my browser, but I can access the file in notepad to make manual changes. But with this site they have a discusion form, and ther sign up page gathers the information, parses it, perhaps encripts it to the server. I can handle wtireing a php that would open my users.pro file in my FTP, format and add the data, which problably something in there tells the file permisions. I could figure out the format. But is this the usual process? Is this relitively secure. Im confused.
May 9th, 2003 06:32 PM
I think that running that on win98 would be a bad idea.
Without the notion of user accounts, win98 allows any access to everyone. This includes PHP scripts.
So even if you did get it working, anyone who created a PHP script would effectively have rooted your box. That would be bad.
So even with the restrictions on the web server and ftp server, if they can execute any kind of code at all (like php), they can gain any level of access.