• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

Possible to Create a User in a Program

I would like to know if it possible to add a user to a Unix system within a program that does not require root privelege. I would like to do this using Java if possible.
0
andrewmchorney
Asked:
andrewmchorney
  • 2
1 Solution
 
jlevieCommented:
Yes, it's possible to progamatically add a users, and no, you can't do it without root privs. Either the main task must have root privs or the external commands that the task could call would have to have root privs.
0
 
andrewmchorneyAuthor Commented:
Suppose I have a Java application that would like to create a new user after a user id and passeord was entered in the screen. Could the Java application execute commands or a program that require root priveleges without the Java program running as root.

I would think that an average user application could not start up a program that requires root priveleges.

0
 
andrewmchorneyAuthor Commented:
Suppose I have a Java application that would like to create a new user after a user id and passeord was entered in the screen. Could the Java application execute commands or a program that require root priveleges without the Java program running as root.

I would think that an average user application could not start up a program that requires root priveleges.

0
 
festiveCommented:
Jlevie is quite correct: unix uses a heirachical permissions model, which gives only the superuser (or equivalent account) access to administrative functions such as adding new accounts.

I have done exactly what you are talking about in the following way:

I have created a Java Application (NOT APPLET - due to applet security restrictions) which talks to a native method (small c program).

The server (Java) does not need or warrant setuid (root) priviledges, so it runs as "nobody", and the c program after being compiled runs as SETUID root.

Care must be taken to ensure the following:
1) that the setuid program is not executable by anyone but the server process etc.

2) that there is some authentication for the account ( ie a checksum/key etc) we use a key and an LFSR (Linear Feedback Shift Register) to validate requests). Ideally all requests and responses to the program should be encrypted with one-time synchronised keys or public key encryption (ie the main program has a public and private key, and the c program has the same)

3) the account should be setup so that no one can log into it (through any services) and strong controls/SSL should be used if it is to be internet/intranet deployed.

Hope this helps
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now