Date: Mon, 10 Dec 2001 09:03:30 -0800 From: Landon Stewart <landons@uniserve.com> To: "Ronan Lucio" <ronan@melim.com.br>, <security@freebsd.org> Subject: Re: Accessing as root Message-ID: <5.1.0.14.0.20011210085706.026e9d68@pop.uniserve.com> In-Reply-To: <03f301c1819a$2b96bbd0$2aa8a8c0@melim.com.br> References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> <20011210180639.J757@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
--=====================_261610015==_.ALT
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
You can specify what they run and as who, Here's an example excerpt from my=
=20
sudoers file:
"...
Runas_Alias TOOLS =3D tools
#Specifys what "TOOLS" means (what username)
httpd ALL=3D(TOOLS) NOPASSWD:/home/tools/emailsearch.simple *
#Specifies that httpd (or nobody) can run this command with any=20
parameters
# as the user "TOOLS" (which =3D the passwd user tools)
httpd ALL=3DNOPASSWD:/usr/local/netsaint/sbin/netsaint -h *
# Specifies that this command (ONLY) can be run as root by httpd=20
without a
# password.
..."
This is a FreeBSD system and you could use a similar setup (use visudo to=20
edit the sudoers file), just substitute the httpd for "nobody" because=20
thats what your web server runs as.
I suggest installing /usr/ports/security/sudo and reading the documents at=
=20
http://www.courtesan.com/sudo/
Once you get the hang of it, you will use it for everything. Be carefull=20
to restrict things and not get lazy after a while. You must limit how many=
=20
and what parameters are allowed to be run if the script you are running is=
=20
at all flakey.
At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote:
>Hi,
>
>But, if I use sudo, I=B4ll need to set the pw to be executed by apache
>(nobody),
>wouldn=B4t it open a security hoje?
>
>For example:
>Would the other users be able to put a code that can be executed by apache
>and change any password?
>
>[]=B4s
>Ronan
---
Landon Stewart
System Administrator
Uniserve Online
landons@uniserve.com
Telephone: (604) 856-6281 ext 399
Toll Free: (877) UNI-Serve ext 399
Right of Use Disclaimer:
"The sender intends this message for a specific recipient and, as it may=20
contain information that is privileged or confidential, any use,=20
dissemination, forwarding, or copying by anyone without permission from the=
=20
sender is prohibited. Personal e-mail may contain views that are not=20
necessarily those of the company."
--=====================_261610015==_.ALT
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
You can specify what they run and as who, Here's an example excerpt from
my sudoers file:<br><br>
"...<br>
Runas_Alias TOOLS =3D tools<br>
<x-tab> </x-tab>#Specifys
what "TOOLS" means (what username)<br>
httpd ALL=3D(TOOLS) NOPASSWD:/home/tools/emailsearch.simple
*<br>
<x-tab> </x-tab>#Specifies
that httpd (or nobody) can run this command with any parameters<br>
<x-tab> </x-tab># as the
user "TOOLS" (which =3D the passwd user tools)<br>
httpd ALL=3DNOPASSWD:/usr/local/netsaint/sbin/netsaint -h
*<br>
<x-tab> </x-tab>#
Specifies that this command (ONLY) can be run as root by httpd without
a<br>
<x-tab> </x-tab>#
password. <br>
..."<br><br>
This is a FreeBSD system and you could use a similar setup (use visudo to
edit the sudoers file), just substitute the httpd for "nobody"
because thats what your web server runs as.<br><br>
I suggest installing /usr/ports/security/sudo and reading the documents
at
<a href=3D"http://www.courtesan.com/sudo/"=
eudora=3D"autourl">http://www.courtesan.com/sudo/</a><br><br>;
Once you get the hang of it, you will use it for everything. Be
carefull to restrict things and not get lazy after a while. You
must limit how many and what parameters are allowed to be run if the
script you are running is at all flakey. <br><br>
At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote:<br>
<blockquote type=3Dcite class=3Dcite cite>Hi,<br><br>
But, if I use sudo, I=B4ll need to set the pw to be executed by=20
apache<br>
(nobody),<br>
wouldn=B4t it open a security hoje?<br><br>
For example:<br>
Would the other users be able to put a code that can be executed by
apache<br>
and change any password?<br><br>
[]=B4s<br>
Ronan<br>
</blockquote><br><br>
<br><br>
<x-sigsep><p></x-sigsep>
<tt><font face=3D"Courier New, Courier" color=3D"#800080">---<br>
</font><font face=3D"Courier New CE, Courier" color=3D"#0000FF">Landon
Stewart<br>
System Administrator<br>
Uniserve Online<br>
landons@uniserve.com<br>
Telephone: (604) 856-6281 ext 399<br>
Toll Free: (877) UNI-Serve ext 399<br><br>
<br>
</font><font face=3D"Fixedsys" color=3D"#C0C0C0">Right of Use
Disclaimer:<br>
"The sender intends this message for a specific recipient and, as it
may contain information that is privileged or confidential, any use,
dissemination, forwarding, or copying by anyone without permission from
the sender is prohibited. Personal e-mail may contain views that are not
necessarily those of the company."<br>
</font></html>
--=====================_261610015==_.ALT--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011210085706.026e9d68>