From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 17:01:27 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A23716A421 for ; Thu, 29 Nov 2007 17:01:27 +0000 (UTC) (envelope-from redchin@gmail.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.225]) by mx1.freebsd.org (Postfix) with ESMTP id C576A13C465 for ; Thu, 29 Nov 2007 17:01:26 +0000 (UTC) (envelope-from redchin@gmail.com) Received: by hu-out-0506.google.com with SMTP id 28so2136281hub for ; Thu, 29 Nov 2007 09:01:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=burXX8ZnPtVeJNPdcnkjRYf8rg74GsGy0q27dU73+Gc=; b=SPMGC6tF/3P0x2aplSnPnDOgEOMuW+oyxqsKgk+580KbYA+UBKZLn6XD2g+wLkVX4zpe8JEwpa5zQDJQyBQKO823QdJxToGjYZyO+OVGwlSfZWa1VaeNUwQrBXS7ymW6nkGv6d54st7wvN60OuwxJ/o3K923P6smpQoQrF8Bdw4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=q5S8TbLXmpT1T89CAoX1wSmarGu0yQzrD1/hbgM043R5fqzLTgGAaKBZfkay6Vw833IuzhAWg+s0189tLN9wB2jKHDlD9lIu0afVblc7GMxUIwrhWaUX/VUlp+fnwIJx5sxqMU1AnsvT7yR0ZZrFFsgX9lnEm3+PzAMtDpt4fPo= Received: by 10.82.107.15 with SMTP id f15mr1168852buc.1196355682198; Thu, 29 Nov 2007 09:01:22 -0800 (PST) Received: by 10.82.160.5 with HTTP; Thu, 29 Nov 2007 09:01:22 -0800 (PST) Message-ID: <1d3ed48c0711290901x3da810cci98232da0894edb6@mail.gmail.com> Date: Thu, 29 Nov 2007 09:01:22 -0800 From: "Kevin Downey" To: "Steve Bertrand" In-Reply-To: <474E6C55.4090306@ibctech.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <1d3ed48c0711282112g389407ddyed367561910adfe4@mail.gmail.com> <474E50BC.7060501@ibctech.ca> <1d3ed48c0711282203r23e6d14cx5b97944ecda1de2a@mail.gmail.com> <474E6C55.4090306@ibctech.ca> Cc: Olivier Nicole , freebsd-questions@freebsd.org Subject: Re: Secure remote shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2007 17:01:27 -0000 On Nov 28, 2007 11:37 PM, Steve Bertrand wrote: > >> Although sudo and SSH are part of the solution, providing a web server > >> with full rights on a remote server if they can gain keyless entry is a > >> large mistake. > > > > Steve, > > at no point does the original email say "we need to execute user > > input". sudo does not equate to providing full rights. I suggest > > reading the manpage. check yourself before you wreck yourself. > > I apologize, you are correct. > > Perhaps I was in a different context. I was assuming that data passed > via a web browser was in fact data that needed to be executed as the > user (web server context). > > "Registering users is done wia a web page, and the web server will > remote execute a script on the mail server to add the users in the > aliases and run newaliases, remote execute a script to the radius > server to add the user in the radius tables and restart radius, etc." > > Pardon my ignorance, I don't regularly use sudo. However, depending on > how the user is being added to the mail and/or RADIUS server, if the web > server has root auth via sudo to adduser, does that not allow the web > server to create a user within whatever group it wants to? > > > check yourself before you wreck yourself > > Fair enough. Strong statement, I'll stand by it if necessary :) > > A legitimate question: > > If I add user 'www' to 'sudoers' with the ability to run adduser, does > that not give user 'www' to put the added user in a group, perhaps wheel? which is why you don't user 'sudo adduser' you use 'sudo myadduser.sh'. myadduser.sh is a wrapper around adduser (or pw, or whatever) > If said commands are passed via 'user' to web browser to web server, run > within context of the web server user, and web server user has sudo > rights to the remote box, does that not mean that the server is > essentially 'executing user input'? > > Steve > no, you are executing commands on validated user input. validated either by javascript on the html form page, your language of choice on the page the form input is submitted to, or by the adduser wrapper script. if I were to only validate in one place I would not pick the javascript method. this is no different then taking a search term from an input box on a webpage, sanitizing it, and searching an sql database for it. -- The Mafia way is that we pursue larger goals under the guise of personal relationships. Fisheye