Secure remote shell
redchin at gmail.com
Thu Nov 29 09:01:27 PST 2007
On Nov 28, 2007 11:37 PM, Steve Bertrand <iaccounts at ibctech.ca> wrote:
> >> Although sudo and SSH are part of the solution, providing a web server
> >> with full rights on a remote server if they can gain keyless entry is a
> >> large mistake.
> > Steve,
> > at no point does the original email say "we need to execute user
> > input". sudo does not equate to providing full rights. I suggest
> > reading the manpage. check yourself before you wreck yourself.
> I apologize, you are correct.
> Perhaps I was in a different context. I was assuming that data passed
> via a web browser was in fact data that needed to be executed as the
> user (web server context).
> "Registering users is done wia a web page, and the web server will
> remote execute a script on the mail server to add the users in the
> aliases and run newaliases, remote execute a script to the radius
> server to add the user in the radius tables and restart radius, etc."
> Pardon my ignorance, I don't regularly use sudo. However, depending on
> how the user is being added to the mail and/or RADIUS server, if the web
> server has root auth via sudo to adduser, does that not allow the web
> server to create a user within whatever group it wants to?
> > check yourself before you wreck yourself
> Fair enough. Strong statement, I'll stand by it if necessary :)
> A legitimate question:
> If I add user 'www' to 'sudoers' with the ability to run adduser, does
> that not give user 'www' to put the added user in a group, perhaps wheel?
which is why you don't user 'sudo adduser' you use 'sudo myadduser.sh'.
myadduser.sh is a wrapper around adduser (or pw, or whatever)
> If said commands are passed via 'user' to web browser to web server, run
> within context of the web server user, and web server user has sudo
> rights to the remote box, does that not mean that the server is
> essentially 'executing user input'?
no, you are executing commands on validated user input. validated
the page the form input is submitted to, or by the adduser wrapper
script. if I were to only validate in one place I would not pick the
an input box on a webpage, sanitizing it, and searching an sql
database for it.
The Mafia way is that we pursue larger goals under the guise of
More information about the freebsd-questions