On Nov 29, 2007, at 1:37 AM, Steve Bertrand wrote:
[snip]
A legitimate question:
If I add user 'www' to 'sudoers' with the ability to run adduser, does
that not give user 'www' to put the added user in a group, perhaps
wheel?
If said commands are passed via 'user' to web browser to web server,
run
within context of the web server user, and web server user has sudo
rights to the remote box, does that not mean that the server is
essentially 'executing user input'?
Not if you use the right commands and configure the sudo stuff
correctly. Since this is scripted, you can easily force a very
specific set of commands on the script, and specifically omit the
groups you do not want.
man sudo is your friend.
-----
Eric F Crist
Secure Computing Networks
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
