UserAddByWeb

How to Install

UserAddByWeb, as the name implies, is a program that allows the creation of user accounts using the web. Anybody who wants to have a user account on your server can use any web-browser to connect to this program and have his account created instantly.

This package was written by Nimrod Zimerman, zimerman.AT.mailandnews.com. and contributed to openwebmail by Nimrod S. Carmi, simba.AT.schoolsucks.com. But this has become an orphaned program and no update or patch is forthcoming.

As is, this program is quite rough and will not work. You need to do some tweaking before it will do what you want it to do.

The program can be downloaded at:

http://openwebmail.org/openwebmail/download/contrib/useraddbyweb.tar.gz

This is an installation procedure for Redhat-7.1, 7.2 and 7.3. I presume that the cgi program will be installed in /var/www/cgi-bin/useraddbyweb/ and the html program in /var/www/html/useraddbyweb/.

Install useraddbyweb as root. This makes the installation much easier. I presume that the source program is in /root/useraddbyweb.tar.gz

o untar the software

tar   xvfz   useraddbyweb.tar.gz
cd   useraddbyweb-20010630

useradd_wrapper requires the UID of the one executing this program. Since this will be run by the cgi program, useraddbyweb.pl, it is run by the web server. In Redhat-7.1, 7.2 and 7.3, this user is apache. So get the UID of apache for your server.

cat   /etc/passwd   |   grep   apache

In my server, the UID and GID of apache is 48.

o Edit useradd_wrapper.c and change:

line 47:

#define ALLOWED_UID 420 ==> #define ALLOWED_UID 48

line 404:

comment this out: /* exec_chfn(username, name); */

With this line, an error is issued after creating the user account successfully.

o Edit useraddbyweb.pl and change :

line 135:

system ("./useradd_wrapper", $username, $name, $password) == 0
==> system ("/var/www/cgi-bin/useraddbyweb/useradd_wrapper", $username, $name, $password) == 0

It is necessary to use the full path to useradd_wrapper, otherwise perl will complain about" Insecure $ENV{PATH}.

All calls to subroutine (lines 30 to 34) must be prefixed with &, otherwise perl will complain about "called too early to check prototype."

&validate_input();

&check_username_existence ($username);
&create_user ($username, $name, $password1);
&log_user ($username, $name, $country, $yearofbirth);
&emit_user_created_page ($username);

In line 161, sub emit_user_created_page($), just after the first '{' and before the print statement, add a line:

my ($username) = (@_);

o Edit useraddbyweb.html and change line 20:

<FORM action="useraddbyweb.pl" method="post">
==> <FORM action="http://your.domain.com/cgi-bin/useraddbyweb/useraddbyweb.pl" method="post">

Again, the full path is required.

o Edit Makefile and change line 1:

CC = gcc-2.95 ==> CC = gcc

o Compile

make

o Create placement directories and copy the necessary files:

mkdir   /var/www/html/useraddbyweb
cp   useraddbyweb.html   /var/www/html/useraddbyweb/

mkdir   /var/www/cgi-bin/useraddbyweb
cp   incorrect_input.thtml   /var/www/cgi-bin/useraddbyweb/
cp   user_created.thtml   /var/www/cgi-bin/useraddbyweb/
cp   user_exists.thtml   /var/www/cgi-bin/useraddbyweb/
cp   useradd_wrapper   /var/www/cgi-bin/useraddbyweb/
cp   useraddbyweb.pl   /var/www/cgi-bin/useraddbyweb/

The directory Modules and all the files under it must be moved to where your perl places its .pm files:

mv   Modules   /usr/lib/perl5/5.6.1/

o All the files must be owned by root:apache. The executable files must be setuid root, otherwise they cannot do what they intend to do.

cd   /var/www/cgi-bin/useraddbyweb
chown   root:apache   *
chmod   4755   useradd_wrapper
chmod   4755   useraddbyweb.pl

o Installation is finished. Use your browser to point to:

http://your.domain.com/useraddbyweb/useraddbyweb.html

and everything should work fine. Cross your fingers!

o Updated for Fedora Core 3, perl-5.8.5-9 (2005/04/06)

Although I do not use this program myself, nevertheless there still seems to be a demand for this kind of program. So, I installed this program in Fedora Core 3, using perl-5.8.5-9 to check if the instructions above are still valid. Lo and behold, it did not work anymore. I had to do some tweaking to make it work again.

Note: This is due to the changes made in perl version 5.8.4.

After some investigations, the culprit is useraddbyweb.pl. And after some experimentations, I have found 2 solutions to the problem.

Solution 1: useraddbyweb.pl not suid root:

cd   /var/www/cgi-bin/useraddbyweb

Edit useraddbyweb.pl and comment out:

use Modules::Log; ==> #use Modules::Log;

Change permission of usseraddbyweb.pl to:

chmod   0755   useraddbyweb.pl

Solution 2: useraddbyweb.pl suid root:

With useraddbyweb.pl suid root, due to security concerns, the $ENV{PATH} must be specifically set. The following correction to /var/www/cgi-bin/useraddbyweb/useraddbyweb.pl will solve the error message:

Insecure $ENV{PATH} while running setuid at /var/www/cgi-bin/useraddbyweb/useraddbyweb.pl line 135.

Just add the following line right after "# Release 20010630." (line 4):

$ENV{PATH} = '';       # notice: it is 2 single quotes

According to perlsec: "Perl automatically enables a set of special security checks, called taint mode, when it detects its program running with differing real and effective user or group IDs." So there is a need to untaint variables coming from the remote client. To solve the following error message:

Insecure dependency in system while running setuid at /var/www/cgi-bin/useraddbyweb/useraddbyweb.pl line 135.

edit useraddbyweb.pl and go to line 134 right after "my ($username, $name, $password) = (@_);" and add the following lines:

$username   =~   /(.*)/;
$username   =   $1;
$name   =~   /(.*)/;
$name   =   $1;
$password   =~   /(.*)/;
$password   =   $1;

These lines of code will untaint the 3 variables ($username, $name, $passwod) passed by the remote client.


Fr. Visminlu Vicente L. Chua, S.J.
2002/09/18
Updated: 2005/04/17