On Nov 29, 2007, at 1:37 AM, Steve Bertrand wrote:


A legitimate question:

If I add user 'www' to 'sudoers' with the ability to run adduser, does
that not give user 'www' to put the added user in a group, perhaps wheel?

If said commands are passed via 'user' to web browser to web server, run
within context of the web server user, and web server user has sudo
rights to the remote box, does that not mean that the server is
essentially 'executing user input'?

Not if you use the right commands and configure the sudo stuff correctly. Since this is scripted, you can easily force a very specific set of commands on the script, and specifically omit the groups you do not want.

man sudo is your friend.
Eric F Crist
Secure Computing Networks

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to