Secure remote shell
iaccounts at ibctech.ca
Wed Nov 28 23:37:49 PST 2007
>> Although sudo and SSH are part of the solution, providing a web server
>> with full rights on a remote server if they can gain keyless entry is a
>> large mistake.
> at no point does the original email say "we need to execute user
> input". sudo does not equate to providing full rights. I suggest
> reading the manpage. check yourself before you wreck yourself.
I apologize, you are correct.
Perhaps I was in a different context. I was assuming that data passed
via a web browser was in fact data that needed to be executed as the
user (web server context).
"Registering users is done wia a web page, and the web server will
remote execute a script on the mail server to add the users in the
aliases and run newaliases, remote execute a script to the radius
server to add the user in the radius tables and restart radius, etc."
Pardon my ignorance, I don't regularly use sudo. However, depending on
how the user is being added to the mail and/or RADIUS server, if the web
server has root auth via sudo to adduser, does that not allow the web
server to create a user within whatever group it wants to?
> check yourself before you wreck yourself
Fair enough. Strong statement, I'll stand by it if necessary :)
A legitimate question:
If I add user 'www' to 'sudoers' with the ability to run adduser, does
that not give user 'www' to put the added user in a group, perhaps wheel?
If said commands are passed via 'user' to web browser to web server, run
within context of the web server user, and web server user has sudo
rights to the remote box, does that not mean that the server is
essentially 'executing user input'?
More information about the freebsd-questions