On Nov 28, 2007 11:37 PM, Steve Bertrand <[EMAIL PROTECTED]> wrote: > >> Although sudo and SSH are part of the solution, providing a web server > >> with full rights on a remote server if they can gain keyless entry is a > >> large mistake. > > > > Steve, > > at no point does the original email say "we need to execute user > > input". sudo does not equate to providing full rights. I suggest > > reading the manpage. check yourself before you wreck yourself. > > I apologize, you are correct. > > Perhaps I was in a different context. I was assuming that data passed > via a web browser was in fact data that needed to be executed as the > user (web server context). > > "Registering users is done wia a web page, and the web server will > remote execute a script on the mail server to add the users in the > aliases and run newaliases, remote execute a script to the radius > server to add the user in the radius tables and restart radius, etc." > > Pardon my ignorance, I don't regularly use sudo. However, depending on > how the user is being added to the mail and/or RADIUS server, if the web > server has root auth via sudo to adduser, does that not allow the web > server to create a user within whatever group it wants to? > > > check yourself before you wreck yourself > > Fair enough. Strong statement, I'll stand by it if necessary :) > > A legitimate question: > > If I add user 'www' to 'sudoers' with the ability to run adduser, does > that not give user 'www' to put the added user in a group, perhaps wheel?