Re: Secure remote shell
On Nov 29, 2007, at 1:37 AM, Steve Bertrand wrote: [snip] A legitimate question: If I add user 'www' to 'sudoers' with the ability to run adduser, does that not give user 'www' to put the added user in a group, perhaps wheel? If said commands are passed via 'user' to web browser to web server, run within context of the web server user, and web server user has sudo rights to the remote box, does that not mean that the server is essentially 'executing user input'? Not if you use the right commands and configure the sudo stuff correctly. Since this is scripted, you can easily force a very specific set of commands on the script, and specifically omit the groups you do not want. man sudo is your friend. - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
On Nov 28, 2007 11:37 PM, Steve Bertrand <[EMAIL PROTECTED]> wrote: > >> Although sudo and SSH are part of the solution, providing a web server > >> with full rights on a remote server if they can gain keyless entry is a > >> large mistake. > > > > Steve, > >at no point does the original email say "we need to execute user > > input". sudo does not equate to providing full rights. I suggest > > reading the manpage. check yourself before you wreck yourself. > > I apologize, you are correct. > > Perhaps I was in a different context. I was assuming that data passed > via a web browser was in fact data that needed to be executed as the > user (web server context). > > "Registering users is done wia a web page, and the web server will > remote execute a script on the mail server to add the users in the > aliases and run newaliases, remote execute a script to the radius > server to add the user in the radius tables and restart radius, etc." > > Pardon my ignorance, I don't regularly use sudo. However, depending on > how the user is being added to the mail and/or RADIUS server, if the web > server has root auth via sudo to adduser, does that not allow the web > server to create a user within whatever group it wants to? > > > check yourself before you wreck yourself > > Fair enough. Strong statement, I'll stand by it if necessary :) > > A legitimate question: > > If I add user 'www' to 'sudoers' with the ability to run adduser, does > that not give user 'www' to put the added user in a group, perhaps wheel? which is why you don't user 'sudo adduser' you use 'sudo myadduser.sh'. myadduser.sh is a wrapper around adduser (or pw, or whatever) > If said commands are passed via 'user' to web browser to web server, run > within context of the web server user, and web server user has sudo > rights to the remote box, does that not mean that the server is > essentially 'executing user input'? > > Steve > no, you are executing commands on validated user input. validated either by javascript on the html form page, your language of choice on the page the form input is submitted to, or by the adduser wrapper script. if I were to only validate in one place I would not pick the javascript method. this is no different then taking a search term from an input box on a webpage, sanitizing it, and searching an sql database for it. -- The Mafia way is that we pursue larger goals under the guise of personal relationships. Fisheye ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
root, that could be automated in a script (no password required). - have information input into browser - have web server save information to server disk in non-executable format - have script (or admin) authenticate/authorize commands to be performed (recommend doing this manually for a while to ensure you capture as many escape type bugs as possible) - have commands via another script scrubbed/cleaned/tested - have cron perform commands at every X minutes the most secure compared to others. only few programs has to be checked for security this way. it's not dirty way i think ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
> ssh using key authentication and sudo configured to allow a certain > user to run the needed commands and only the needed commands as root. > rsh? Are you living in a cave? :) Thanks for the replies. The original script was written at the cave era, only I am trying to improve it today. Would that be better? Using key authentication so ssh needs no password (and key access limit to limit the client connecting via ssh) and limiting sudo to run only the mentionned script. /usr/bin/ssh [EMAIL PROTECTED] /usr/local/bin/sudo /usr/local/sbin/remove_user foor_bar TIA. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
>> Although sudo and SSH are part of the solution, providing a web server >> with full rights on a remote server if they can gain keyless entry is a >> large mistake. > > Steve, >at no point does the original email say "we need to execute user > input". sudo does not equate to providing full rights. I suggest > reading the manpage. check yourself before you wreck yourself. I apologize, you are correct. Perhaps I was in a different context. I was assuming that data passed via a web browser was in fact data that needed to be executed as the user (web server context). "Registering users is done wia a web page, and the web server will remote execute a script on the mail server to add the users in the aliases and run newaliases, remote execute a script to the radius server to add the user in the radius tables and restart radius, etc." Pardon my ignorance, I don't regularly use sudo. However, depending on how the user is being added to the mail and/or RADIUS server, if the web server has root auth via sudo to adduser, does that not allow the web server to create a user within whatever group it wants to? > check yourself before you wreck yourself Fair enough. Strong statement, I'll stand by it if necessary :) A legitimate question: If I add user 'www' to 'sudoers' with the ability to run adduser, does that not give user 'www' to put the added user in a group, perhaps wheel? If said commands are passed via 'user' to web browser to web server, run within context of the web server user, and web server user has sudo rights to the remote box, does that not mean that the server is essentially 'executing user input'? Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
On Thu, November 29, 2007 06:23, Steve Bertrand wrote: >> What other solution would you suggest to execute a shell remotely as >> root, that could be automated in a script (no password required). > > - have information input into browser > - have web server save information to server disk in non-executable format > - have script (or admin) authenticate/authorize commands to be performed > (recommend doing this manually for a while to ensure you capture as many > escape type bugs as possible) - have commands via another script > scrubbed/cleaned/tested - have cron perform commands at every X minutes > I once wrote a script for allowing certain persons to add user accounts on a box: they just had to create a csv file in a certain place on disk with a certain name, something like this: loginname;Full Name;action where action would be: C (for create new user), D (for delete user), M for creating a new pair of ssh keys. A shell script executed from cron every half hour would then pick up that file and do whatever actions specified in that script. In the case of OP that file could be created (and transported through ssh) by the user the web server runs with, while the local root account (if applicable - in case of LDAP that isn't necessary anyway) does its thing... Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
On Nov 28, 2007 9:40 PM, Steve Bertrand <[EMAIL PROTECTED]> wrote: > > ssh using key authentication and sudo configured to allow a certain > > user to run the needed commands and only the needed commands as root. > > http://www.gratisoft.us/sudo/ > > http://sial.org/howto/openssh/publickey-auth/ > > Yes but in the OP's context, providing this would mean that ANY command > supplied via the web interface would be allowed whether SSH or sudo was > used to perform the remote execution via the web server. > > IMHO, there needs to be a distinctive separation as the 'support' > persons request comes via the browser. If it is an 'adduser' type > request, all aspects (mail, radius etc) need to have their own > input-type authentication/authorization check on the input. > > Although sudo and SSH are part of the solution, providing a web server > with full rights on a remote server if they can gain keyless entry is a > large mistake. Steve, at no point does the original email say "we need to execute user input". sudo does not equate to providing full rights. I suggest reading the manpage. check yourself before you wreck yourself. > Tunnel via SSH, and escalate via sudo is both a good idea. But I think > in the OP's context, there needs to be some intensive checks and bounds > in between that make it *harder* for him to achieve his goals than what > it could be. > > I don't think anyone would want the following scenario: > > - you pass https://url.com?blah&blahetc to webserver > - webserver, via password-less ssh executes via sudo a command on remote > RADIUS/mail to introduce a new user, perhaps in wheel group > - owned > > Steve > -- The Mafia way is that we pursue larger goals under the guise of personal relationships. Fisheye ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
> ssh using key authentication and sudo configured to allow a certain > user to run the needed commands and only the needed commands as root. > http://www.gratisoft.us/sudo/ > http://sial.org/howto/openssh/publickey-auth/ Yes but in the OP's context, providing this would mean that ANY command supplied via the web interface would be allowed whether SSH or sudo was used to perform the remote execution via the web server. IMHO, there needs to be a distinctive separation as the 'support' persons request comes via the browser. If it is an 'adduser' type request, all aspects (mail, radius etc) need to have their own input-type authentication/authorization check on the input. Although sudo and SSH are part of the solution, providing a web server with full rights on a remote server if they can gain keyless entry is a large mistake. Tunnel via SSH, and escalate via sudo is both a good idea. But I think in the OP's context, there needs to be some intensive checks and bounds in between that make it *harder* for him to achieve his goals than what it could be. I don't think anyone would want the following scenario: - you pass https://url.com?blah&blahetc to webserver - webserver, via password-less ssh executes via sudo a command on remote RADIUS/mail to introduce a new user, perhaps in wheel group - owned Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
> What other solution would you suggest to execute a shell remotely as > root, that could be automated in a script (no password required). - have information input into browser - have web server save information to server disk in non-executable format - have script (or admin) authenticate/authorize commands to be performed (recommend doing this manually for a while to ensure you capture as many escape type bugs as possible) - have commands via another script scrubbed/cleaned/tested - have cron perform commands at every X minutes Dirty, but it works. Just ensure that your input variables are very clean during the request, and their storage. All this said, I have an environment that may *semi* relate to what you are doing. It appears you are running your mail with sendmail on one box, RADIUS on another, and perhaps your web interface on yet another. Is this correct? Perhaps it's all on the same box... Can you state: - mail server software - RADIUS software - web interface (server) software ...assuming further, the web interface is custom right? How many users do you have? How many support people? Perhaps you could mail me off-list to discuss, as myself, and my support staff just went through this last year, and are just finishing up the details. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
On 11:28:24 Nov 29, Olivier Nicole wrote: > Hi, > > Part of (un)registerings users on my system consists in connecting to > various servers to add the user account to some services: > > Registering users is done wia a web page, and the web server will > remote execute a script on the mail server to add the users in the > aliases and run newaliases, remote execute a script to the radius > server to add the user in the radius tables and restart radius, etc. > > Of course all the remote execution should be done as root :( > No. Use sudo(8) And tighten it up. Giving remote users root access should never ever be done. Typically each user should run a suid script or something. > So far, one specific user from the web server can rsh -l root to the rsh? Are you living in a cave? :) ssh(8) was released several years ago. rsh is horribly insecure and broken whereas ssh(8) has an excellent security track record. -Girish ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Secure remote shell
On Nov 28, 2007 8:28 PM, Olivier Nicole <[EMAIL PROTECTED]> wrote: > Hi, > > Part of (un)registerings users on my system consists in connecting to > various servers to add the user account to some services: > > Registering users is done wia a web page, and the web server will > remote execute a script on the mail server to add the users in the > aliases and run newaliases, remote execute a script to the radius > server to add the user in the radius tables and restart radius, etc. > > Of course all the remote execution should be done as root :( > > So far, one specific user from the web server can rsh -l root to the > various other servers to do what needs to be done. But this is not > quite satisfactory. > > What other solution would you suggest to execute a shell remotely as > root, that could be automated in a script (no password required). > > Best regards, > > Olivier ssh using key authentication and sudo configured to allow a certain user to run the needed commands and only the needed commands as root. http://www.gratisoft.us/sudo/ http://sial.org/howto/openssh/publickey-auth/ -- The Mafia way is that we pursue larger goals under the guise of personal relationships. Fisheye ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Secure remote shell
Hi, Part of (un)registerings users on my system consists in connecting to various servers to add the user account to some services: Registering users is done wia a web page, and the web server will remote execute a script on the mail server to add the users in the aliases and run newaliases, remote execute a script to the radius server to add the user in the radius tables and restart radius, etc. Of course all the remote execution should be done as root :( So far, one specific user from the web server can rsh -l root to the various other servers to do what needs to be done. But this is not quite satisfactory. What other solution would you suggest to execute a shell remotely as root, that could be automated in a script (no password required). Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"