Arch Linux

samstarnes

Member

Registered: 2017-10-07

Posts: 10

Giving sudo/unix access to http (pam_unix) problem

Recently I've made an email server with postfix & dovecot and an open source web email client. Works great! But I need a way for my users & friends to choose their email address & password. Currently I have to generate accounts for them manually, which means I know their password to the email and some people don't like that.

First off I understand how giving http access to sudo/unix commands is dangerous. I already know and I've sanitized all commands to make sure only a-z 0-9 is allowed, no symbols (this will be changed for password so they may be more secure).

So I've given http sudo access in visudo
http ALL=(ALL) NOPASSWD: ALL

However when I try to use useradd -m -s /usr/bin/nologin -p $2 $1 I get an error.

Apr 02 12:48:26 archphoenix useradd[8007]: pam_unix(useradd:auth): conversation failed
Apr 02 12:48:26 archphoenix useradd[8007]: pam_unix(useradd:auth): auth could not identify password for [http]
Apr 02 12:48:26 archphoenix useradd[8007]: Authentication token manipulation error
Apr 02 12:48:26 archphoenix useradd[8007]: failed adding user 'testuserr', data deleted

I've looked around dozens of forums and wikis trying to find an answer and the closest thing I've found is something related to /etc/pam.d/useradd or /etc/pam.d/system-auth. I'm not sure how to edit these? Adding 'debug' to 'useradd' gives me one extra line in journalctl

Apr 02 13:03:25 archphoenix useradd[22687]: pam_rootok(useradd:auth): root check failed

I've also tried sudo -u http useradd -m -s /bin/bash -p $2 $1 in the bash script and nothing happens. No user added and no error in journalctl.

Slithery

Administrator

From: Norfolk, UK

Registered: 2013-12-01

Posts: 5,776

Re: Giving sudo/unix access to http (pam_unix) problem

You still need to use sudo to run the command, you just won't get prompted for a password...

sudo useradd -m -s /usr/bin/nologin -p $2 $1

A safer thing would be to change your line in sudoers to...

http ALL=(ALL) NOPASSWD: useradd -m -s /usr/bin/nologin -p

This would mean that the http user could only run that specific command with root privileges.

---

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

samstarnes

Member

Registered: 2017-10-07

Posts: 10

Re: Giving sudo/unix access to http (pam_unix) problem

I tried that option in visudo just now,

>>> /etc/sudoers: syntax error near line 101 <<<
What now?

I've even tried

http ALL=(ALL) NOPASSWD: /usr/bin/useradd, /usr/bin/touch, /usr/bin/gpasswd, /usr/bin/chown, /usr/bin/chmod, /usr/bin/mkdir, /usr/bin/passwd, /usr/bin/echo, /usr/bin/postmap

which gives me a completely different error.

Apr 02 13:33:43 archphoenix sudo[26291]:     http : command not allowed ; TTY=unknown ; PWD=/srv/http/testshscript ; USER=root ; COMMAND=useradd -m -s /usr/bin/nologin -p password testuserr

samstarnes

Member

Registered: 2017-10-07

Posts: 10

Re: Giving sudo/unix access to http (pam_unix) problem

The full bash script is here.

#!/bin/bash
sudo /usr/bin/touch /home/phoenix/testfile2

if [ -d /home/$1 ]
then
        echo Username $1 already exists. Pick another username.
else
        sudo useradd -m -s /usr/bin/nologin -p $2 $1
        sudo gpasswd -a $1 postfix
        sudo touch /var/spool/mail/$1
        sudo chown $1:postfix /var/spool/mail/$1
        sudo chmod o-r /var/spool/mail/$1
        sudo chmod g+rw /var/spool/mail/$1
        sudo mkdir /home/$1/Mailbox
        sudo chown -R $1:$1 /home/$1/Mailbox
        sudo echo $1:$2 | sudo -u http chpasswd
        echo "User <b>$1</b> has been created with the password <b>$2</b>"
fi

The touch command works and runs under sudo.

Apr 02 13:50:56 archphoenix sudo[27201]:     http : TTY=unknown ; PWD=/srv/http/testshscript ; USER=root ; COMMAND=/usr/bin/touch /home/phoenix/testfile2
Apr 02 13:50:56 archphoenix sudo[27201]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 02 13:50:56 archphoenix sudo[27201]: pam_unix(sudo:session): session closed for user root

[root@archphoenix pam.d]# ls -la /home/phoenix | grep testfile
-rw-r--r--   1 root    root          0 Apr  1 10:41 testfile
-rw-r--r--   1 root    root          0 Apr  2 13:50 testfile2

Last edited by samstarnes (2018-04-02 17:55:04)

samstarnes

Member

Registered: 2017-10-07

Posts: 10

Re: Giving sudo/unix access to http (pam_unix) problem

Ended up figuring it out. I was doing "sudo useradd etc...." when I should've used the full command name "sudo /usr/bin/useradd etc...." for ALL the bash commands. Echo is the only thing that seems to work without including /usr/bin

Now I just need to clean it up, make a nicer html page for it and include a change password/recovery option for users.

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 30,332

Website

Re: Giving sudo/unix access to http (pam_unix) problem

... which means I know their password to the email and some people don't like that.

Tough beans for them.  It really doesn't matter if you know their password or not: if you have root access on the server, you can do whatever you want with or without knowing their password.  Your ethics are the only thing that prevent you reading their email or sending messages out as their user (and hopefully your ethics are quite effective in this regard); being ignorant of users' passwords does nothing to further prevent such abuse.

Last edited by Trilby (2018-04-04 02:02:17)

---

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

samstarnes

Member

Registered: 2017-10-07

Posts: 10

Re: Giving sudo/unix access to http (pam_unix) problem

... which means I know their password to the email and some people don't like that.

Tough beans for them.  It really doesn't matter if you know their password or not: if you have root access on the server, you can do whatever you want with or without knowing their password.  Your ethics are the only thing that prevent you reading their email or sending messages out as their user (and hopefully your ethics are quite effective in this regard); being ignorant of users' passwords does nothing to further prevent such abuse.

Yeah, I know. But some people are just "like that" where they feel uncomfortable about someone having their password. Plus the passwords I make are usually randomized 24-30 characters, a-zA-Z0-9 with symbols. Kind of hard to memorize. Making emails this way is easier in case I'm not around and they want to make additional emails for other services.