As Data coming into the script I'd be inclined to validate the username beyond lower-casing. Also I have included character class checking as usually usernames are not allowed to have a number (and possibly underscore too, would have to check that) as the first character. The \W would allow that as the first character.
Performing the untainting prior to calling system validation functions may also prevent badly constructed usernames getting passed through to system in functions such as getpwnam
my $un = shift; unless( $un ~= s/\A([_A-Za-z][_A-Za-z0-9]+)\Z/$1/ ){ # Log/Warn(L4/5); #? exit &ask_user_to_resubmit_request; } $un = lc($un); ... unless($<){..}
I'd likely suggest restricting user removal solely to root, but that is probably fine as long as admin priveleges are in place.
update:splitting the uid check from the user retrieval may even be better. We first see if administrator is calling the script before pulling in and untainting the user supplied data, then call the process body.
#uid check unless($< == 0){ # Log attempt and exit; }else{ print "Sue! How do you do?\nWe've been rooting for you" } #untaint and foldcase user data my $un = shift; unless( $un ~= s/\A([A-Za-z]\W+)\Z/$1/ ){ # Log attempt exit &ask_user_to_resubmit_request; } $un = lc($un); #carry on if(defined(getpwnam $un)){ .. }
In reply to Re: Script for SFTP users not deleting accounts automatically
by Don Coyote
in thread Script for SFTP users not deleting accounts automatically
by C18ANT
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |