UserAddByWeb, as the name implies, is a program that allows the creation of user accounts using the web. Anybody who wants to have a user account on your server can use any web-browser to connect to this program and have his account created instantly.
This package was written by Nimrod Zimerman, zimerman.AT.mailandnews.com. and contributed to openwebmail by Nimrod S. Carmi, simba.AT.schoolsucks.com. But this has become an orphaned program and no update or patch is forthcoming.
As is, this program is quite rough and will not work. You need to do some tweaking before it will do what you want it to do.
The program can be downloaded at:
http://openwebmail.org/openwebmail/download/contrib/useraddbyweb.tar.gz
This is an installation procedure for Redhat-7.1, 7.2 and 7.3. I presume that the cgi program will be installed in /var/www/cgi-bin/useraddbyweb/ and the html program in /var/www/html/useraddbyweb/.
Install useraddbyweb as root. This makes the installation much easier. I presume that the source program is in /root/useraddbyweb.tar.gz
tar xvfz useraddbyweb.tar.gz
cd useraddbyweb-20010630
useradd_wrapper requires the UID of the one executing this program. Since this will be run by the cgi program, useraddbyweb.pl, it is run by the web server. In Redhat-7.1, 7.2 and 7.3, this user is apache. So get the UID of apache for your server.
cat /etc/passwd | grep apache
In my server, the UID and GID of apache is 48.
line 47:
#define ALLOWED_UID 420 ==> #define ALLOWED_UID 48
line 404:
comment this out: /* exec_chfn(username, name); */
With this line, an error is issued after creating the user account successfully.
line 135:
system ("./useradd_wrapper", $username, $name, $password) == 0
==> system ("/var/www/cgi-bin/useraddbyweb/useradd_wrapper", $username, $name, $password) == 0
It is necessary to use the full path to useradd_wrapper, otherwise perl will complain about" Insecure $ENV{PATH}.
All calls to subroutine (lines 30 to 34) must be prefixed with &, otherwise perl will complain about "called too early to check prototype."
&validate_input();
&check_username_existence ($username);
&create_user ($username, $name, $password1);
&log_user ($username, $name, $country, $yearofbirth);
&emit_user_created_page ($username);
In line 161, sub emit_user_created_page($), just after the first '{' and before the print statement, add a line:
my ($username) = (@_);
<FORM action="useraddbyweb.pl" method="post">
==> <FORM action="http://your.domain.com/cgi-bin/useraddbyweb/useraddbyweb.pl" method="post">
Again, the full path is required.
CC = gcc-2.95 ==> CC = gcc
make
mkdir /var/www/html/useraddbyweb
cp useraddbyweb.html /var/www/html/useraddbyweb/
mkdir /var/www/cgi-bin/useraddbyweb
cp incorrect_input.thtml /var/www/cgi-bin/useraddbyweb/
cp user_created.thtml /var/www/cgi-bin/useraddbyweb/
cp user_exists.thtml /var/www/cgi-bin/useraddbyweb/
cp useradd_wrapper /var/www/cgi-bin/useraddbyweb/
cp useraddbyweb.pl /var/www/cgi-bin/useraddbyweb/
The directory Modules and all the files under it must be moved to where your perl places its .pm files:
mv Modules /usr/lib/perl5/5.6.1/
cd /var/www/cgi-bin/useraddbyweb
chown root:apache *
chmod 4755 useradd_wrapper
chmod 4755 useraddbyweb.pl
http://your.domain.com/useraddbyweb/useraddbyweb.html
and everything should work fine. Cross your fingers!
Although I do not use this program myself, nevertheless there still seems to be a demand for this kind of program. So, I installed this program in Fedora Core 3, using perl-5.8.5-9 to check if the instructions above are still valid. Lo and behold, it did not work anymore. I had to do some tweaking to make it work again.
Note: This is due to the changes made in perl version 5.8.4.
After some investigations, the culprit is useraddbyweb.pl. And after some experimentations, I have found 2 solutions to the problem.
cd /var/www/cgi-bin/useraddbyweb
Edit useraddbyweb.pl and comment out:
use Modules::Log; ==> #use Modules::Log;
Change permission of usseraddbyweb.pl to:
chmod 0755 useraddbyweb.pl
With useraddbyweb.pl suid root, due to security concerns, the $ENV{PATH} must be specifically set. The following correction to /var/www/cgi-bin/useraddbyweb/useraddbyweb.pl will solve the error message:
Insecure $ENV{PATH} while running setuid at /var/www/cgi-bin/useraddbyweb/useraddbyweb.pl line 135.
Just add the following line right after "# Release 20010630." (line 4):
$ENV{PATH} = ''; # notice: it is 2 single quotes
According to perlsec: "Perl automatically enables a set of special security checks, called taint mode, when it detects its program running with differing real and effective user or group IDs." So there is a need to untaint variables coming from the remote client. To solve the following error message:
Insecure dependency in system while running setuid at /var/www/cgi-bin/useraddbyweb/useraddbyweb.pl line 135.
edit useraddbyweb.pl and go to line 134 right after "my ($username, $name, $password) = (@_);" and add the following lines:
$username =~ /(.*)/;
$username = $1;
$name =~ /(.*)/;
$name = $1;
$password =~ /(.*)/;
$password = $1;
These lines of code will untaint the 3 variables ($username, $name, $passwod) passed by the remote client.
Fr. Visminlu Vicente L. Chua, S.J.
2002/09/18
Updated: 2005/04/17