1 |
Am Sonntag, 16. November 2008 18:24:17 schrieb Michael Higgins: |
2 |
> On Sat, 15 Nov 2008 02:01:54 +0100 |
3 |
> |
4 |
> Michele Schiavo <gentoo@××××××××××××××.it> wrote: |
5 |
> > /etc/sudoers ?? |
6 |
> |
7 |
> I think I'm trying to avoid running under sudo. Yes, that works, but must |
8 |
> have other security implications? |
9 |
|
10 |
Which ones? You know that you can restrict what users can do under sudo in a |
11 |
very fine grained manner (for example: user johndoe can run /bin/ls as user |
12 |
root, but only with options -l and -a). |
13 |
|
14 |
> In researching the problem, the workaround I posted was cribbed from other |
15 |
> distros which have a 'shadow' group. This is why I posted here, to see if |
16 |
> this is common (as I now suspect), why isn't it used in Gentoo? |
17 |
|
18 |
Because it would be stupid? The reason why /etc/shadow is only readable by |
19 |
root is to refuse access to the encrypted passwords to make brute force |
20 |
attacks on them impossible. Otherwise you could leave them in /etc/passwd. |
21 |
|
22 |
> Ultimately, the apache:apache user will be running this code. I expect to |
23 |
> have to add apache to the group shadow to be able to use the app. I don't |
24 |
> want apache in the sudoers file, nor do I think it'd solve the problem, |
25 |
> since my user is in the sudoers file but only can access /etc/shadow when |
26 |
> running under sudo. I don't see this as a way to launch my webserver..?? |
27 |
|
28 |
You could put the code that needs to access /etc/shadow into a separate CGI |
29 |
script and configure sudo so that user apache can only run this single script |
30 |
as root and only when it comes from a specific path and has specific options. |
31 |
|
32 |
HTH... |
33 |
|
34 |
Dirk |