Secure remote shell

Kevin Downey redchin at gmail.com
Thu Nov 29 09:01:27 PST 2007 

On Nov 28, 2007 11:37 PM, Steve Bertrand <iaccounts at ibctech.ca> wrote:
> >> Although sudo and SSH are part of the solution, providing a web server
> >> with full rights on a remote server if they can gain keyless entry is a
> >> large mistake.
> >
> > Steve,
> >    at no point does the original email say "we need to execute user
> > input".  sudo does not equate to providing full rights. I suggest
> > reading the manpage. check yourself before you wreck yourself.
>
> I apologize, you are correct.
>
> Perhaps I was in a different context. I was assuming that data passed
> via a web browser was in fact data that needed to be executed as the
> user (web server context).
>
> "Registering users is done wia a web page, and the web server will
> remote execute a script on the mail server to add the users in the
> aliases and run newaliases, remote execute a script to the radius
> server to add the user in the radius tables and restart radius, etc."
>
> Pardon my ignorance, I don't regularly use sudo. However, depending on
> how the user is being added to the mail and/or RADIUS server, if the web
> server has root auth via sudo to adduser, does that not allow the web
> server to create a user within whatever group it wants to?
>
> > check yourself before you wreck yourself
>
> Fair enough. Strong statement, I'll stand by it if necessary :)
>
> A legitimate question:
>
> If I add user 'www' to 'sudoers' with the ability to run adduser, does
> that not give user 'www' to put the added user in a group, perhaps wheel?

which is why you don't user 'sudo adduser' you use 'sudo myadduser.sh'.
myadduser.sh is a wrapper around adduser (or pw, or whatever)

> If said commands are passed via 'user' to web browser to web server, run
> within context of the web server user, and web server user has sudo
> rights to the remote box, does that not mean that the server is
> essentially 'executing user input'?
>
> Steve
>

no, you are executing commands on validated user input. validated
either by javascript on the html form page, your language of choice on
the page the form input is submitted to, or by the adduser wrapper
script. if I were to only validate in one place I would not pick the
javascript method. this is no different then taking a search term from
an input box on a webpage, sanitizing it, and searching an sql
database for it.

-- 
The Mafia way is that we pursue larger goals under the guise of
personal relationships.
    Fisheye

More information about the freebsd-questions mailing list