Re: Does this user exist?

Replies are listed 'Best First'.
Re: Re: Does this user exist? by FamousLongAgo (Friar) on Jan 01, 2003 at 16:13 UTC
This is a pretty blatant troll, but I want to spell that out so that the questioner doesn't get cowed. Yes, it takes special care to write a secure web app ( especially one that adds user accounts ), but it doesn't take a "senior" programmer, just a humble one who isn't afraid to ask for help and follows some well-established practices, like using `taint` and running system commands from a `cron` job, instead of the script itself - exactly what the questioner is doing. See below for a more reasoned answer.	[reply] [d/l] [select]
Re^3: Does this user exist? by diotalevi (Canon) on Jan 01, 2003 at 16:30 UTC
Actually Re: Does this user exist? was me. Originally I was going to be funny but in my sleep deprived state it wasn't at all. I'm still very, very tired but oh well. If you feel like sending a '--' where it counts then plonk it here. [Update: Oh yeah, the anonymous monk was part of the joke and I was already writing the node when I realized it didn't need to be anonymous anymore.] The general attitude is similar to that expressed regarding symbolic references. People who ask that sort of question that way are defacto not qualified to write that piece of software. I don't know that I'd be qualified to write that either. The whole idea of having a web accessible user-creation system or really anything at all tied into the system is deep, deep mojo and difficult to get right. Or put another way - this system is a way of removing several layers of authentication and access control. Many normal system protections are just being completely set aside (by going through this web->cron interface). Doing this right will take some serious meditation and knowledge of the host environment. Fun Fun Fun in the Fluffy Chair	[reply]
Re: Re^3: Does this user exist? by FamousLongAgo (Friar) on Jan 02, 2003 at 12:52 UTC
Hey, thanks for fessing up. You make a good point about security. But I've written "bad" web apps for convenience, myself, so I can't dismiss the question. We don't know enough about the supplicant's needs to just say "you shouldn't do it". For all we know, (s)he might be writing a script to run on a private subnet, with strong HTTP access controls, just as a convenience for a small group of trusted users. Or it might be a CGI open to the world. I'm all for warning people the gun is loaded, but ultimately they have to make a reasoned choice. One of the things I like best about this site is that people will tell you you're stupid, explain why what you want is wrong, and then show you how to do it anyway. You neglected part 3. ;-)	[reply]
Re: Re: Does this user exist? by Anonymous Monk on Jan 01, 2003 at 17:02 UTC
Please, I did not ask of your opinions on the security of this script, but merely help on a certain aspect of it. Yes i am running taint, yes i have regexps on user input - and NO this is not a live web system. If my server gets hacked or trashed, its my fault i know. ALL of my users have directories in /home, can someone please shed some light on how to compare the data in $username with what is in the /home directory, and return an error if the folder/username already exists.	[reply]
Re^3: Does this user exist? by diotalevi (Canon) on Jan 01, 2003 at 17:53 UTC
Oh well that's easy: `carp "Directory found" if -e "/home/$username";`. The thing is, if you couldn't code that then I don't think you're competent to code the rest of the sytem. Fun Fun Fun in the Fluffy Chair	[reply] [d/l]
Re: Re^3: Does this user exist? by revdiablo (Prior) on Jan 02, 2003 at 05:15 UTC
I wouldn't make such a bold assertion. A user's home directory is not necessarily in `/home`, and a user does not necessarily have a home directory in order to be valid. Perhaps you should try to spend more time answering the question than making bad judgements of the OP's competence.	[reply] [d/l]
Re^5: Does this user exist? by diotalevi (Canon) on Jan 02, 2003 at 07:44 UTC