| 1 |
Am Sonntag, 16. November 2008 18:24:17 schrieb Michael Higgins: |
| 2 |
> On Sat, 15 Nov 2008 02:01:54 +0100 |
| 3 |
> |
| 4 |
> Michele Schiavo <gentoo@××××××××××××××.it> wrote: |
| 5 |
> > /etc/sudoers ?? |
| 6 |
> |
| 7 |
> I think I'm trying to avoid running under sudo. Yes, that works, but must |
| 8 |
> have other security implications? |
| 9 |
|
| 10 |
Which ones? You know that you can restrict what users can do under sudo in a |
| 11 |
very fine grained manner (for example: user johndoe can run /bin/ls as user |
| 12 |
root, but only with options -l and -a). |
| 13 |
|
| 14 |
> In researching the problem, the workaround I posted was cribbed from other |
| 15 |
> distros which have a 'shadow' group. This is why I posted here, to see if |
| 16 |
> this is common (as I now suspect), why isn't it used in Gentoo? |
| 17 |
|
| 18 |
Because it would be stupid? The reason why /etc/shadow is only readable by |
| 19 |
root is to refuse access to the encrypted passwords to make brute force |
| 20 |
attacks on them impossible. Otherwise you could leave them in /etc/passwd. |
| 21 |
|
| 22 |
> Ultimately, the apache:apache user will be running this code. I expect to |
| 23 |
> have to add apache to the group shadow to be able to use the app. I don't |
| 24 |
> want apache in the sudoers file, nor do I think it'd solve the problem, |
| 25 |
> since my user is in the sudoers file but only can access /etc/shadow when |
| 26 |
> running under sudo. I don't see this as a way to launch my webserver..?? |
| 27 |
|
| 28 |
You could put the code that needs to access /etc/shadow into a separate CGI |
| 29 |
script and configure sudo so that user apache can only run this single script |
| 30 |
as root and only when it comes from a specific path and has specific options. |
| 31 |
|
| 32 |
HTH... |
| 33 |
|
| 34 |
Dirk |
Archives