From owner-freebsd-security  Mon Dec 10  8:44:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23])
	by hub.freebsd.org (Postfix) with ESMTP id DEEAD37B416
	for <security@freebsd.org>; Mon, 10 Dec 2001 08:44:38 -0800 (PST)
Received: from fazendinha (ressacada.melim.com.br [200.215.110.4])
	by salseiros.melim.com.br (Postfix) with SMTP id C6D00BA5B
	for <security@freebsd.org>; Mon, 10 Dec 2001 14:44:32 -0200 (BRST)
Message-ID: <03f301c1819a$2b96bbd0$2aa8a8c0@melim.com.br>
From: "Ronan Lucio" <ronan@melim.com.br>
To: <security@freebsd.org>
References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> <20011210180639.J757@straylight.oblivion.bg>
Subject: Re: Accessing as root
Date: Mon, 10 Dec 2001 14:46:09 -0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,

But, if I use sudo, I´ll need to set the pw to be executed by apache
(nobody),
wouldn´t it open a security hoje?

For example:
Would the other users be able to put a code that can be executed by apache
and change any password?

[]´s
Ronan

> On Mon, Dec 10, 2001 at 06:03:14PM +0200, Sheldon Hearn wrote:
> >
> >
> > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote:
> >
> > > > I need to make some scripts to change the password and another
> > > > things like that need root permissions, but:
> > > >
> > > > How can I do it without opening a security hole in the server?
> > > > What is the best way to do it?
> > >
> > > 1) Limit exposure to just those commands that need privelege, by
passing
> > >    your command as arguments to the su(1) command.
> >
> > This is stupid advice, sorry.
> >
> > You need to make your script setuid root (see chmod(1)).  If the script
> > is big, or does complex input handling, consider breaking out the part
> > that needs privelege into its own smaller script, called by a wrapper
> > that does input sanity checking.
> >
> > Ultimately, you want to limit the privelege to as little work as
> > possible.
>
> And then, of course, there is the security/sudo port, which lets you
> specify which uid's are allowed to execute which commands as root or
> whatever other uid, with or without passwords, with or without controlling
> terminals.
>
> G'luck,
> Peter
>
> --
> I am not the subject of this sentence.
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message