How do I add users using Python scripts on a Linux machine

Re: How do I add users using Python scripts on a Linux machine

[ Ivan Voras <ivoras@fer.h r]
I don't think, that the interpreter controls SUID-ness. Privileges are
always handled by the kernel. At least the kernel needs to agree, when
a normal user wants to execute a SUID scripts.

--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)

Re: How do I add users using Python scripts on a Linux machine

I find that I can often live with a 0-60 sec. pause. and set command in
a queue like
then have a cron that runs once a min as the user you need to run this
on
that looks at the queue and sees if there are any pending

I often use a sql database for this

Re: How do I add users using Python scripts on a Linux machine

>>>>Sebastian 'lunar' Wiesner <basti.wiesner@ gmx.net(SW) wrote:
The scenario is as follows: Suppose the script starts with the line:
#!/usr/bin/python

(using #!/usr/bin/env python would be disastrous because the user could
supply his own `python interpreter' in his PATH.)

Now a malicious user can make a link to this file in his own directory,
e.g. to /Users/eve/myscript1. Because permissions are part of the file
(inode), not of the file name, this one is also suid.

Now she execs /Users/eve/myscript1. The kernel, when honoring suid scripts,
would startup python with effective uid root with the command line:
/usr/bin/env /Users/eve/myscript1

Now in another process eve changes the link /Users/eve/myscript1 to
point to another script /Users/eve/myscript2. If she manages to change the
link between the startup of the python executable and the interpreter
opening the file /Users/eve/myscript1, she has her own script running as
root.

Of course the timing is a bit critical but if you try often enough some
time it will succeed. The problem is the time window between starting the
executable and opening the script. There is no guarantee that the file will
be the same. It can only be made safe if interpreters can be passed inodes
or opened files by the kernel, but that is not how most interpreters work.
At least not python.
--
Piet van Oostrum <piet@cs.uu.n l>
URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C 4]
Private email: piet@vanoostrum .org

Re: How do I add users using Python scripts on a Linux machine

In message <m2hcv651ta.fsf @ordesa.cs.uu.n l>, Piet van Oostrum wrote:
No it wouldn't. This security hole was fixed years ago.

Re: How do I add users using Python scripts on a Linux machine

>>>>Lawrence D'Oliveiro <ldo@geek-central.gen.new _zealand(LD) wrote:
How?
--
Piet van Oostrum <piet@cs.uu.n l>
URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C 4]
Private email: piet@vanoostrum .org

Re: How do I add users using Python scripts on a Linux machine

In message <m2bqlctbce.fsf @ordesa.lan>, Piet van Oostrum wrote:
Systems which allow set-uid scripts also usually support referring to open
file descriptors n via a pathname like /dev/fd/n. This might be done by
mounting a special pseudo-filesystem (fdfs) on /dev/fd. (This was how I
remember it being done on DEC UNIX.)

So when a the kernel detects that an executable file is actually a script,
it opens the script file on some file descriptor n, and passes the
name /dev/fd/n to the script interpreter, instead of the original script
pathname. That way, there is no opportunity for deceiving the process into
executing the wrong script with set-uid privileges.