From owner-freebsd-security Mon Dec 10 9: 4:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id A84F237B405 for ; Mon, 10 Dec 2001 09:03:44 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 16DTq0-00049k-00; Mon, 10 Dec 2001 09:03:32 -0800 Message-Id: <5.1.0.14.0.20011210085706.026e9d68@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 10 Dec 2001 09:03:30 -0800 To: "Ronan Lucio" , From: Landon Stewart Subject: Re: Accessing as root In-Reply-To: <03f301c1819a$2b96bbd0$2aa8a8c0@melim.com.br> References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> <20011210180639.J757@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_261610015==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_261610015==_.ALT Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable You can specify what they run and as who, Here's an example excerpt from my= =20 sudoers file: "... Runas_Alias TOOLS =3D tools #Specifys what "TOOLS" means (what username) httpd ALL=3D(TOOLS) NOPASSWD:/home/tools/emailsearch.simple * #Specifies that httpd (or nobody) can run this command with any=20 parameters # as the user "TOOLS" (which =3D the passwd user tools) httpd ALL=3DNOPASSWD:/usr/local/netsaint/sbin/netsaint -h * # Specifies that this command (ONLY) can be run as root by httpd=20 without a # password. ..." This is a FreeBSD system and you could use a similar setup (use visudo to=20 edit the sudoers file), just substitute the httpd for "nobody" because=20 thats what your web server runs as. I suggest installing /usr/ports/security/sudo and reading the documents at= =20 http://www.courtesan.com/sudo/ Once you get the hang of it, you will use it for everything. Be carefull=20 to restrict things and not get lazy after a while. You must limit how many= =20 and what parameters are allowed to be run if the script you are running is= =20 at all flakey. At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote: >Hi, > >But, if I use sudo, I=B4ll need to set the pw to be executed by apache >(nobody), >wouldn=B4t it open a security hoje? > >For example: >Would the other users be able to put a code that can be executed by apache >and change any password? > >[]=B4s >Ronan --- Landon Stewart System Administrator Uniserve Online landons@uniserve.com Telephone: (604) 856-6281 ext 399 Toll Free: (877) UNI-Serve ext 399 Right of Use Disclaimer: "The sender intends this message for a specific recipient and, as it may=20 contain information that is privileged or confidential, any use,=20 dissemination, forwarding, or copying by anyone without permission from the= =20 sender is prohibited. Personal e-mail may contain views that are not=20 necessarily those of the company." --=====================_261610015==_.ALT Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable You can specify what they run and as who, Here's an example excerpt from my sudoers file:

"...
Runas_Alias TOOLS =3D tools
        #Specifys what "TOOLS" means (what username)
httpd   ALL=3D(TOOLS) NOPASSWD:/home/tools/emailsearch.simple *
        #Specifies that httpd (or nobody) can run this command with any parameters
        # as the user "TOOLS" (which =3D the passwd user tools)
httpd   ALL=3DNOPASSWD:/usr/local/netsaint/sbin/netsaint -h *
        # Specifies that this command (ONLY) can be run as root by httpd without a
        # password. 
..."

This is a FreeBSD system and you could use a similar setup (use visudo to edit the sudoers file), just substitute the httpd for "nobody" because thats what your web server runs as.

I suggest installing /usr/ports/security/sudo and reading the documents at http://www.courtesan.com/sudo/

Once you get the hang of it, you will use it for everything.  Be carefull to restrict things and not get lazy after a while.  You must limit how many and what parameters are allowed to be run if the script you are running is at all flakey. 

At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote:
Hi,

But, if I use sudo, I=B4ll need to set the pw to be executed by=20 apache
(nobody),
wouldn=B4t it open a security hoje?

For example:
Would the other users be able to put a code that can be executed by apache
and change any password?

[]=B4s
Ronan




---
Landon Stewart
System Administrator
Uniserve Online
landons@uniserve.com
Telephone: (604) 856-6281 ext 399
Toll Free: (877) UNI-Serve ext 399


Right of Use Disclaimer:
"The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company."
 --=====================_261610015==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message