From owner-freebsd-questions@FreeBSD.ORG Fri Nov 30 13:41:47 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9D4816A418 for ; Fri, 30 Nov 2007 13:41:47 +0000 (UTC) (envelope-from mnslinky@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.freebsd.org (Postfix) with ESMTP id 697BF13C467 for ; Fri, 30 Nov 2007 13:41:46 +0000 (UTC) (envelope-from mnslinky@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so4909971pyb for ; Fri, 30 Nov 2007 05:41:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer; bh=cAwP5PGCyeT4P5sK6FJaCvbvDtXDwTtuXyUSVK87QMc=; b=h8VdViUx98VcDR3T/8pMi1Tk2vLub8TnJ054QCnMMOc8qkzKJjwKl7frZT5hwMsl2qDU2wmkB5kGBdVBkeKpDrIsA6sUJUwhbp43/20T9hTbW48XIaWaqITVcOa5E+66OHkjNvJW3oHJeVg2geahJWvJfxPrjxZW7tj0+iuT2ks= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer; b=xPtpF1sP74fQ33mq22cCfdQ3tOENV/VJIwOOF2WpadGtDYH3iudGyoeMk2/NT8UYGiqbX96wJVW0IUiFrK8tHlOubk2Ljmwu4OMtoB2iG24S4R7BombfwUe2wJ3hdhrKz3r+cT0UkFZ06xmCaMkKXUudqdKTGuqKa61inP8xepE= Received: by 10.35.47.10 with SMTP id z10mr8962745pyj.1196430105561; Fri, 30 Nov 2007 05:41:45 -0800 (PST) Received: from swordfish.local.claimlynx.com ( [74.95.66.25]) by mx.google.com with ESMTPS id n44sm10076144pyh.2007.11.30.05.41.44 (version=SSLv3 cipher=OTHER); Fri, 30 Nov 2007 05:41:44 -0800 (PST) Message-Id: <3838AD85-BD47-4437-9692-7FE4CCC4AF21@gmail.com> From: Eric Crist To: Steve Bertrand In-Reply-To: <474E6C55.4090306@ibctech.ca> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Fri, 30 Nov 2007 07:41:41 -0600 References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <1d3ed48c0711282112g389407ddyed367561910adfe4@mail.gmail.com> <474E50BC.7060501@ibctech.ca> <1d3ed48c0711282203r23e6d14cx5b97944ecda1de2a@mail.gmail.com> <474E6C55.4090306@ibctech.ca> X-Mailer: Apple Mail (2.915) Cc: Olivier Nicole , Kevin Downey , freebsd-questions@freebsd.org Subject: Re: Secure remote shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2007 13:41:47 -0000 On Nov 29, 2007, at 1:37 AM, Steve Bertrand wrote: [snip] > A legitimate question: > > If I add user 'www' to 'sudoers' with the ability to run adduser, does > that not give user 'www' to put the added user in a group, perhaps > wheel? > > If said commands are passed via 'user' to web browser to web server, > run > within context of the web server user, and web server user has sudo > rights to the remote box, does that not mean that the server is > essentially 'executing user input'? Not if you use the right commands and configure the sudo stuff correctly. Since this is scripted, you can easily force a very specific set of commands on the script, and specifically omit the groups you do not want. man sudo is your friend. ----- Eric F Crist Secure Computing Networks