Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Dec 2001 14:46:09 -0200
From:      "Ronan Lucio" <ronan@melim.com.br>
To:        <security@freebsd.org>
Subject:   Re: Accessing as root
Message-ID:  <03f301c1819a$2b96bbd0$2aa8a8c0@melim.com.br>
References:  <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> <20011210180639.J757@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

But, if I use sudo, I´ll need to set the pw to be executed by apache
(nobody),
wouldn´t it open a security hoje?

For example:
Would the other users be able to put a code that can be executed by apache
and change any password?

[]´s
Ronan

> On Mon, Dec 10, 2001 at 06:03:14PM +0200, Sheldon Hearn wrote:
> >
> >
> > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote:
> >
> > > > I need to make some scripts to change the password and another
> > > > things like that need root permissions, but:
> > > >
> > > > How can I do it without opening a security hole in the server?
> > > > What is the best way to do it?
> > >
> > > 1) Limit exposure to just those commands that need privelege, by
passing
> > >    your command as arguments to the su(1) command.
> >
> > This is stupid advice, sorry.
> >
> > You need to make your script setuid root (see chmod(1)).  If the script
> > is big, or does complex input handling, consider breaking out the part
> > that needs privelege into its own smaller script, called by a wrapper
> > that does input sanity checking.
> >
> > Ultimately, you want to limit the privelege to as little work as
> > possible.
>
> And then, of course, there is the security/sudo port, which lets you
> specify which uid's are allowed to execute which commands as root or
> whatever other uid, with or without passwords, with or without controlling
> terminals.
>
> G'luck,
> Peter
>
> --
> I am not the subject of this sentence.
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03f301c1819a$2b96bbd0$2aa8a8c0>