'nobody' using sudo -- scary! - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: 'nobody' using sudo -- scary!

Quoted text here. Click to load it

Stick the details of what to do in a file somewhere, and run a program
out of root's crontab to check the list and perform the commands.
*Obviously* you will need extremely careful checking of the contents of
that list; you will want to write the root command in Perl, and use
taint mode.


   Razors pain you / Rivers are damp
   Acids stain you / And drugs cause cramp.                    [Dorothy Parker]
Guns aren't lawful / Nooses give
  Gas smells awful / You might as well live.                   ben@morrow.me.uk

Re: 'nobody' using sudo -- scary!

Ben Morrow wrote:
Quoted text here. Click to load it

That is a nice solution.

A further refinement might be to create a FIFO instead of a file. and
have a root daemon reading the FIFO. That way  there'd be no lag between
requesting the change and the change being performed.

man mkfifo

The daemon could be a Perl script started in the usual way at boot-time
(rc files etc).

Ben is right about the need to very very carefully check and sanitise
the input. I'd consider some sort of throttling to ameliorate any DOS


Re: 'nobody' using sudo -- scary!

Quoted text here. Click to load it

To get something perl-specific into that thread: Don't construct command
lines from untrusted user input. Even if you are sure that $remoteuser
can only be an existing user name that cannot contain any funny
characters (like " ", "/" or "."), get into the habit of using the list
form of system:

  system "/usr/bin/vacation", "-i";
  system "cp", "-p", "/home/$remoteuser/vacation.forward",

(what was the \ for, BTW?)

Quoted text here. Click to load it

First, don't run your webserver as "nobody". Create a specific user and
run it as that user. You may think that it doesn't make any difference
whether the server runs as "nobody" or as "foo". But if your webserver
runs as "nobody" out of the box, chances are that there is some other
stuff on the box also running as nobody, and you don't want to open a
path to privileged commands to that other stuff.

If this web server is tightly controlled and only used for controlling
user accounts, you can now give the user "foo" permission to remove
.forward files, for example using sudo. But don't just give it
permission to run "rm". Instead create a script "vacation-off", and give
it permission to run that script. So even if your server is cracked,
the attacker cannot delete any file. He can only turn off (and on)
vacation messages. (And I don't know if that is possible with sudo, but
you should strongly consider restricting these commands to run as some
"real" user, but not as root).

If your web server is also used for other stuff which is less security
sensitive (and where the web authors are probably less careful), it's a
good idea to put in another layer. Create yet another user and run only
those scripts which need special privileges as that user. You can do
this for example with suexec (with apache) or fastcgi (just about any
webserver). FastCGI is especially nice because it communicates with the
webserver over a socket - the script can run even run on a different
host than the webserver.


Re: 'nobody' using sudo -- scary!

Johnny wrote:
Quoted text here. Click to load it

Things wrong with your post:

1) Not a perl question, so offtopic for this NG.

2) Asking for "best" without defining what you mean or want.
Do you have a reason not to use sudo or is your objection
based on not wanting to read the documentation?

3) Even thinking of making user's directories world writable
suggests that you should not be allowed the root password for
this system.

4) Using vacation or .forward in the first place, since they
are commonly abused by spammers.  Mail routing must be
done based on the mail envelope, not body.  You are using
sendmail, so there are already more secure ways to do whatever
it is that you want -- see the aliases file.

** Posted from http://www.teranews.com **

Site Timeline