Solved

Possible to Create a User in a Program

Posted on 2000-04-10
4
242 Views
Last Modified: 2010-04-21
I would like to know if it possible to add a user to a Unix system within a program that does not require root privelege. I would like to do this using Java if possible.
0
Comment
Question by:andrewmchorney
  • 2
4 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 2701659
Yes, it's possible to progamatically add a users, and no, you can't do it without root privs. Either the main task must have root privs or the external commands that the task could call would have to have root privs.
0
 

Author Comment

by:andrewmchorney
ID: 2702009
Suppose I have a Java application that would like to create a new user after a user id and passeord was entered in the screen. Could the Java application execute commands or a program that require root priveleges without the Java program running as root.

I would think that an average user application could not start up a program that requires root priveleges.

0
 

Author Comment

by:andrewmchorney
ID: 2702098
Suppose I have a Java application that would like to create a new user after a user id and passeord was entered in the screen. Could the Java application execute commands or a program that require root priveleges without the Java program running as root.

I would think that an average user application could not start up a program that requires root priveleges.

0
 
LVL 2

Accepted Solution

by:
festive earned 50 total points
ID: 2702355
Jlevie is quite correct: unix uses a heirachical permissions model, which gives only the superuser (or equivalent account) access to administrative functions such as adding new accounts.

I have done exactly what you are talking about in the following way:

I have created a Java Application (NOT APPLET - due to applet security restrictions) which talks to a native method (small c program).

The server (Java) does not need or warrant setuid (root) priviledges, so it runs as "nobody", and the c program after being compiled runs as SETUID root.

Care must be taken to ensure the following:
1) that the setuid program is not executable by anyone but the server process etc.

2) that there is some authentication for the account ( ie a checksum/key etc) we use a key and an LFSR (Linear Feedback Shift Register) to validate requests). Ideally all requests and responses to the program should be encrypted with one-time synchronised keys or public key encryption (ie the main program has a public and private key, and the c program has the same)

3) the account should be setup so that no one can log into it (through any services) and strong controls/SSL should be used if it is to be internet/intranet deployed.

Hope this helps
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now