Re: Fw: Re: problem with script execution
Ray Still wrote: Alex Zbyslaw wrote: Ray Still wrote: Just out of curiosity: What is the "echo * |" supposed to do? From my point of view the shell will expand "*" to the list of files and directories in PWD, so "echo *" acts like a simple ls in this context. This list is piped to sudo. But what does sudo do with these? sorry, I didn't want to show my passwords, so I replaced it with an astrix. the password of course is being read from the pipe by sudo because of the -S option. Probably nothing to do with your original problem, but you do know that you can allow sudo to execute certain commands without a password? Passwords in shell scripts isn't exactly ideal... I am aware of the security issues, but in this case I think it's the best option because: 1) any one who can login to the machine also knows root passwords. 2) this script lives in a directory that is password protected by apache. 3) I don't like the thought of turning off passwords. so if you can see the script, you won't learn anything you don't already know. am I totally out to lunch? IMHO, putting passwords in a script is a bad idea and putting a root password in a script is just asking for trouble. Sure, when all is well, all your users know it anyway. Then one day you forget and add a user who doesn't know it, or you distribute the script somewhere external by accident, or someone hacks in to your machine and you have given them the password on a plate. From what I understand, this script is being run only from apache, and you have password protected it from the apache server. So the only user you need to allow to run the script without a password is "apache". As you have it, any user on the system who can read the file can already run it without a password unless you have directory/script permissions set up to lock them out - apache password protection only protects you when the script is accessed through apache. If you use sudo to allow apache to run the script passwordless, then to run the script as apache you either need to be the apache server or root, so random logged in users can't run it without knowing the root password unless you let them. What I think sudo (correctly set up to only allow apache to run the script) buys you is this: 1) Your password is not visible anywhere so can't be given away by accident. 2) The script is exactly as well protected for web use as when you just include the password in the script. Any web user who can click on the right link and supply the apache authentication can run the script. If you feel apache authentication is enough protection, then passwordless sudo changes nothing, as far as I can see. 3) Random users gaining access to your machine cannot run the script without knowing the root password. Right now any user on your system who has execute permission in the script can run it without knowing the root password. My tuppence, --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fw: Re: problem with script execution
- Original Message - From: "Alex Zbyslaw" <[EMAIL PROTECTED]> To: "Ray Still" <[EMAIL PROTECTED]> Cc: Sent: Friday, December 01, 2006 8:28 AM Subject: Re: Fw: Re: problem with script execution Ray Still wrote: Just out of curiosity: What is the "echo * |" supposed to do? From my point of view the shell will expand "*" to the list of files and directories in PWD, so "echo *" acts like a simple ls in this context. This list is piped to sudo. But what does sudo do with these? sorry, I didn't want to show my passwords, so I replaced it with an astrix. the password of course is being read from the pipe by sudo because of the -S option. Probably nothing to do with your original problem, but you do know that you can allow sudo to execute certain commands without a password? Passwords in shell scripts isn't exactly ideal... I am aware of the security issues, but in this case I think it's the best option because: 1) any one who can login to the machine also knows root passwords. 2) this script lives in a directory that is password protected by apache. 3) I don't like the thought of turning off passwords. so if you can see the script, you won't learn anything you don't already know. am I totally out to lunch? E.g. my sudoers has: Cmnd_Alias HEALTHD = /usr/local/sbin/healthd [...] %wheel ALL=(root) NOPASSWD: SMART_STATUS, HEALTHD, MBMON So anyone in group wheel (me :-)) can excecute any of the named commands without any password. You can also force the flags that will be passed - the sudoers man page has more details. --Alex -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fw: Re: problem with script execution
Ray Still wrote: Just out of curiosity: What is the "echo * |" supposed to do? From my point of view the shell will expand "*" to the list of files and directories in PWD, so "echo *" acts like a simple ls in this context. This list is piped to sudo. But what does sudo do with these? sorry, I didn't want to show my passwords, so I replaced it with an astrix. the password of course is being read from the pipe by sudo because of the -S option. Probably nothing to do with your original problem, but you do know that you can allow sudo to execute certain commands without a password? Passwords in shell scripts isn't exactly ideal... E.g. my sudoers has: Cmnd_Alias HEALTHD = /usr/local/sbin/healthd [...] %wheel ALL=(root) NOPASSWD: SMART_STATUS, HEALTHD, MBMON So anyone in group wheel (me :-)) can excecute any of the named commands without any password. You can also force the flags that will be passed - the sudoers man page has more details. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"