Date: Fri, 30 Nov 2007 07:41:41 -0600 From: Eric Crist <mnslinky@gmail.com> To: Steve Bertrand <iaccounts@ibctech.ca> Cc: Olivier Nicole <on@cs.ait.ac.th>, Kevin Downey <redchin@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Secure remote shell Message-ID: <3838AD85-BD47-4437-9692-7FE4CCC4AF21@gmail.com> In-Reply-To: <474E6C55.4090306@ibctech.ca> References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <1d3ed48c0711282112g389407ddyed367561910adfe4@mail.gmail.com> <474E50BC.7060501@ibctech.ca> <1d3ed48c0711282203r23e6d14cx5b97944ecda1de2a@mail.gmail.com> <474E6C55.4090306@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 29, 2007, at 1:37 AM, Steve Bertrand wrote: [snip] > A legitimate question: > > If I add user 'www' to 'sudoers' with the ability to run adduser, does > that not give user 'www' to put the added user in a group, perhaps > wheel? > > If said commands are passed via 'user' to web browser to web server, > run > within context of the web server user, and web server user has sudo > rights to the remote box, does that not mean that the server is > essentially 'executing user input'? Not if you use the right commands and configure the sudo stuff correctly. Since this is scripted, you can easily force a very specific set of commands on the script, and specifically omit the groups you do not want. man sudo is your friend. ----- Eric F Crist Secure Computing Networks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3838AD85-BD47-4437-9692-7FE4CCC4AF21>