>> Although sudo and SSH are part of the solution, providing a web server >> with full rights on a remote server if they can gain keyless entry is a >> large mistake. > > Steve, > at no point does the original email say "we need to execute user > input". sudo does not equate to providing full rights. I suggest > reading the manpage. check yourself before you wreck yourself.
I apologize, you are correct. Perhaps I was in a different context. I was assuming that data passed via a web browser was in fact data that needed to be executed as the user (web server context). "Registering users is done wia a web page, and the web server will remote execute a script on the mail server to add the users in the aliases and run newaliases, remote execute a script to the radius server to add the user in the radius tables and restart radius, etc." Pardon my ignorance, I don't regularly use sudo. However, depending on how the user is being added to the mail and/or RADIUS server, if the web server has root auth via sudo to adduser, does that not allow the web server to create a user within whatever group it wants to? > check yourself before you wreck yourself Fair enough. Strong statement, I'll stand by it if necessary :) A legitimate question: If I add user 'www' to 'sudoers' with the ability to run adduser, does that not give user 'www' to put the added user in a group, perhaps wheel? If said commands are passed via 'user' to web browser to web server, run within context of the web server user, and web server user has sudo rights to the remote box, does that not mean that the server is essentially 'executing user input'? Steve _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
