On Nov 28, 2007 9:40 PM, Steve Bertrand <[EMAIL PROTECTED]> wrote: > > ssh using key authentication and sudo configured to allow a certain > > user to run the needed commands and only the needed commands as root. > > http://www.gratisoft.us/sudo/ > > http://sial.org/howto/openssh/publickey-auth/ > > Yes but in the OP's context, providing this would mean that ANY command > supplied via the web interface would be allowed whether SSH or sudo was > used to perform the remote execution via the web server. > > IMHO, there needs to be a distinctive separation as the 'support' > persons request comes via the browser. If it is an 'adduser' type > request, all aspects (mail, radius etc) need to have their own > input-type authentication/authorization check on the input. > > Although sudo and SSH are part of the solution, providing a web server > with full rights on a remote server if they can gain keyless entry is a > large mistake.
Steve, at no point does the original email say "we need to execute user input". sudo does not equate to providing full rights. I suggest reading the manpage. check yourself before you wreck yourself. > Tunnel via SSH, and escalate via sudo is both a good idea. But I think > in the OP's context, there needs to be some intensive checks and bounds > in between that make it *harder* for him to achieve his goals than what > it could be. > > I don't think anyone would want the following scenario: > > - you pass https://url.com?blah&blahetc to webserver > - webserver, via password-less ssh executes via sudo a command on remote > RADIUS/mail to introduce a new user, perhaps in wheel group > - owned > > Steve > -- The Mafia way is that we pursue larger goals under the guise of personal relationships. Fisheye _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"