Date: Mon, 10 Dec 2001 09:03:30 -0800 From: Landon Stewart <landons@uniserve.com> To: "Ronan Lucio" <ronan@melim.com.br>, <security@freebsd.org> Subject: Re: Accessing as root Message-ID: <5.1.0.14.0.20011210085706.026e9d68@pop.uniserve.com> In-Reply-To: <03f301c1819a$2b96bbd0$2aa8a8c0@melim.com.br> References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> <20011210180639.J757@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
You can specify what they run and as who, Here's an example excerpt from my
sudoers file:
"...
Runas_Alias TOOLS = tools
#Specifys what "TOOLS" means (what username)
httpd ALL=(TOOLS) NOPASSWD:/home/tools/emailsearch.simple *
#Specifies that httpd (or nobody) can run this command with any
parameters
# as the user "TOOLS" (which = the passwd user tools)
httpd ALL=NOPASSWD:/usr/local/netsaint/sbin/netsaint -h *
# Specifies that this command (ONLY) can be run as root by httpd
without a
# password.
..."
This is a FreeBSD system and you could use a similar setup (use visudo to
edit the sudoers file), just substitute the httpd for "nobody" because
thats what your web server runs as.
I suggest installing /usr/ports/security/sudo and reading the documents at
http://www.courtesan.com/sudo/
Once you get the hang of it, you will use it for everything. Be carefull
to restrict things and not get lazy after a while. You must limit how many
and what parameters are allowed to be run if the script you are running is
at all flakey.
At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote:
>Hi,
>
>But, if I use sudo, I´ll need to set the pw to be executed by apache
>(nobody),
>wouldn´t it open a security hoje?
>
>For example:
>Would the other users be able to put a code that can be executed by apache
>and change any password?
>
>[]´s
>Ronan
---
Landon Stewart
System Administrator
Uniserve Online
landons@uniserve.com
Telephone: (604) 856-6281 ext 399
Toll Free: (877) UNI-Serve ext 399
Right of Use Disclaimer:
"The sender intends this message for a specific recipient and, as it may
contain information that is privileged or confidential, any use,
dissemination, forwarding, or copying by anyone without permission from the
sender is prohibited. Personal e-mail may contain views that are not
necessarily those of the company."
[-- Attachment #2 --]
<html>
You can specify what they run and as who, Here's an example excerpt from
my sudoers file:<br><br>
"...<br>
Runas_Alias TOOLS = tools<br>
<x-tab> </x-tab>#Specifys
what "TOOLS" means (what username)<br>
httpd ALL=(TOOLS) NOPASSWD:/home/tools/emailsearch.simple
*<br>
<x-tab> </x-tab>#Specifies
that httpd (or nobody) can run this command with any parameters<br>
<x-tab> </x-tab># as the
user "TOOLS" (which = the passwd user tools)<br>
httpd ALL=NOPASSWD:/usr/local/netsaint/sbin/netsaint -h
*<br>
<x-tab> </x-tab>#
Specifies that this command (ONLY) can be run as root by httpd without
a<br>
<x-tab> </x-tab>#
password. <br>
..."<br><br>
This is a FreeBSD system and you could use a similar setup (use visudo to
edit the sudoers file), just substitute the httpd for "nobody"
because thats what your web server runs as.<br><br>
I suggest installing /usr/ports/security/sudo and reading the documents
at
<a href="http://www.courtesan.com/sudo/" eudora="autourl">http://www.courtesan.com/sudo/</a><br><br>;
Once you get the hang of it, you will use it for everything. Be
carefull to restrict things and not get lazy after a while. You
must limit how many and what parameters are allowed to be run if the
script you are running is at all flakey. <br><br>
At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote:<br>
<blockquote type=cite class=cite cite>Hi,<br><br>
But, if I use sudo, I´ll need to set the pw to be executed by
apache<br>
(nobody),<br>
wouldn´t it open a security hoje?<br><br>
For example:<br>
Would the other users be able to put a code that can be executed by
apache<br>
and change any password?<br><br>
[]´s<br>
Ronan<br>
</blockquote><br><br>
<br><br>
<x-sigsep><p></x-sigsep>
<tt><font face="Courier New, Courier" color="#800080">---<br>
</font><font face="Courier New CE, Courier" color="#0000FF">Landon
Stewart<br>
System Administrator<br>
Uniserve Online<br>
landons@uniserve.com<br>
Telephone: (604) 856-6281 ext 399<br>
Toll Free: (877) UNI-Serve ext 399<br><br>
<br>
</font><font face="Fixedsys" color="#C0C0C0">Right of Use
Disclaimer:<br>
"The sender intends this message for a specific recipient and, as it
may contain information that is privileged or confidential, any use,
dissemination, forwarding, or copying by anyone without permission from
the sender is prohibited. Personal e-mail may contain views that are not
necessarily those of the company."<br>
</font></html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011210085706.026e9d68>