Re: Secure remote shell
- From: "Kevin Downey" <redchin@xxxxxxxxx>
- Date: Thu, 29 Nov 2007 09:01:22 -0800
On Nov 28, 2007 11:37 PM, Steve Bertrand <iaccounts@xxxxxxxxxx> wrote:
Although sudo and SSH are part of the solution, providing a web server
with full rights on a remote server if they can gain keyless entry is a
large mistake.
Steve,
at no point does the original email say "we need to execute user
input". sudo does not equate to providing full rights. I suggest
reading the manpage. check yourself before you wreck yourself.
I apologize, you are correct.
Perhaps I was in a different context. I was assuming that data passed
via a web browser was in fact data that needed to be executed as the
user (web server context).
"Registering users is done wia a web page, and the web server will
remote execute a script on the mail server to add the users in the
aliases and run newaliases, remote execute a script to the radius
server to add the user in the radius tables and restart radius, etc."
Pardon my ignorance, I don't regularly use sudo. However, depending on
how the user is being added to the mail and/or RADIUS server, if the web
server has root auth via sudo to adduser, does that not allow the web
server to create a user within whatever group it wants to?
check yourself before you wreck yourself
Fair enough. Strong statement, I'll stand by it if necessary :)
A legitimate question:
If I add user 'www' to 'sudoers' with the ability to run adduser, does
that not give user 'www' to put the added user in a group, perhaps wheel?
which is why you don't user 'sudo adduser' you use 'sudo myadduser.sh'.
myadduser.sh is a wrapper around adduser (or pw, or whatever)
If said commands are passed via 'user' to web browser to web server, run
within context of the web server user, and web server user has sudo
rights to the remote box, does that not mean that the server is
essentially 'executing user input'?
Steve
no, you are executing commands on validated user input. validated
either by javascript on the html form page, your language of choice on
the page the form input is submitted to, or by the adduser wrapper
script. if I were to only validate in one place I would not pick the
javascript method. this is no different then taking a search term from
an input box on a webpage, sanitizing it, and searching an sql
database for it.
--
The Mafia way is that we pursue larger goals under the guise of
personal relationships.
Fisheye
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- References:
- Secure remote shell
- From: Olivier Nicole
- Re: Secure remote shell
- From: Kevin Downey
- Re: Secure remote shell
- From: Steve Bertrand
- Re: Secure remote shell
- From: Kevin Downey
- Re: Secure remote shell
- From: Steve Bertrand
- Secure remote shell
- Prev by Date: Re: Xen howto: inexplicable "Kernel image does not exist" error
- Next by Date: Re: 7.0 installation, and Xorg in particular
- Previous by thread: Re: Secure remote shell
- Next by thread: Re: Secure remote shell
- Index(es):
Relevant Pages
|
|
