Angels and Ministers of Grace, defend us ...I have a form that creates a user by entering the username and their password. The code I'm using in php is:
shell_exec("sudo useradd -p $encpass -g groupname -s /bin/bash $username");I have used a whoami and have confirmed that it runs as http. In /etc/sudoers I have
http ALL=(ALL) NOPASSWD: ALL root ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL %sudo ALL=(ALL) ALLI also added http to group wheel. The problem I am having is it's not setting the password correctly. The user is created, just the password isn't set. I know that $encpass has a value because I can display it. I also know the command works because it runs fine in command line. This was working before, but I had to reinstall Arch Linux, so does anyone have an idea for why this doesn't work?
Since this is reddit, hilarity breaks out:
For those not Linux heads, some of the more patient redditers explain it to Our Hero:
You see, this is why we can't have nice things on the Internet. Jimminy Cricket on a motorbike, this is maybe the most colossally boneheaded code I've ever seen. And I've seen rather a lot, sad to say. A number of the redditers accuse him of being a troll, but I think the query was legit. After all, this sort of security fail is so epic that it has its very own xkcd:h2ooooooo 94 points ago
Epic thread is epic. Just know that code like this "escapes" into the wild, sometimes in production systems. Be afraid. Be very afraid.