AW: [suse-security] Create FTP account remotely from web application
Hi Andy, this looks like you'll need some centralised authentication service. Try set up an ldap server and configure your ftp server to use pam authentication with ldap. You'll still need to set up a local userid for filesystem permissions though. Good luck Stefan
From: Andy [mailto:frum@ar-sd.net]
Hi to all,
I have a web application from which I need to create some FTP accounts on another server. Between the servers I can have SSH, FTP or WEB(and some other if necessary but I don't think so) access but I don't know how to create the "relation" between the web scripts and account creation and of corse without to compromise the security of the systems.
I need some advice.
Thanks in advance. Andy.
Somehow I need to runt these script on the local server(where the application runs) or on the FTP server. Both servers are web-servers, so probably I could make a request to a securized link, where is a script that creates users. I am not sure that this is the best option. It could be a major security leak. An if it is... then how to do it? ----- Original Message ----- From: "Peer Stefan" <stefan.peer@tiwag.at> To: <suse-security@suse.com> Sent: Tuesday, May 30, 2006 12:58 PM Subject: AW: [suse-security] Create FTP account remotely from web application Hi Andy, this looks like you'll need some centralised authentication service. Try set up an ldap server and configure your ftp server to use pam authentication with ldap. You'll still need to set up a local userid for filesystem permissions though. Good luck Stefan
From: Andy [mailto:frum@ar-sd.net]
Hi to all,
I have a web application from which I need to create some FTP accounts on another server. Between the servers I can have SSH, FTP or WEB(and some other if necessary but I don't think so) access but I don't know how to create the "relation" between the web scripts and account creation and of corse without to compromise the security of the systems.
I need some advice.
Thanks in advance. Andy.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
We are doing something kind of similar. A php web app creates a file that needs to be transferred to another "sftp" server. But no way do I want user apache to have access to login credentials on the sftp server. Our hack is a separate user runs a cronjob every 5 minutes to check if the php app has created the file, and if so, sftp it to the other server using ssh keys with empty passphrase. Not very elegant, but more secure. In your case, perhaps a user with sudo rights to create ftp accounts can poll the webserver for some "make new account" flag that gets set by your web application. On Tue, May 30, 2006 at 04:25:03PM +0300, Andy wrote:
Somehow I need to runt these script on the local server(where the application runs) or on the FTP server. Both servers are web-servers, so probably I could make a request to a securized link, where is a script that creates users.
I am not sure that this is the best option. It could be a major security leak. An if it is... then how to do it?
----- Original Message ----- From: "Peer Stefan" <stefan.peer@tiwag.at> To: <suse-security@suse.com> Sent: Tuesday, May 30, 2006 12:58 PM Subject: AW: [suse-security] Create FTP account remotely from web application
Hi Andy,
this looks like you'll need some centralised authentication service. Try set up an ldap server and configure your ftp server to use pam authentication with ldap. You'll still need to set up a local userid for filesystem permissions though.
Good luck Stefan
From: Andy [mailto:frum@ar-sd.net]
Hi to all,
I have a web application from which I need to create some FTP accounts on another server. Between the servers I can have SSH, FTP or WEB(and some other if necessary but I don't think so) access but I don't know how to create the "relation" between the web scripts and account creation and of corse without to compromise the security of the systems.
I need some advice.
Thanks in advance. Andy.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- -ashley Did you try poking at it with a stick?
Thankx for the quick response. I though also on this solution, my problem remains that I should know the result of user creation. This user that will be created will belong to a specific group and I have the bash script that creates it. I thought that I can write a php script that runs this bash under "higher rights". What if I create in apache a link http or https and with user authentication and I put in there this script? Of corse this script will need to run under higher privileges. This script will be accessed only from local LAN so I can cut off all other locations access. Will this be secure? Regards, Andy. ----- Original Message ----- From: "Ashley Gould" <agould@ucop.edu> To: <suse-security@suse.com> Sent: Tuesday, May 30, 2006 7:30 PM Subject: Re: [suse-security] Create FTP account remotely from web application
We are doing something kind of similar. A php web app creates a file that needs to be transferred to another "sftp" server. But no way do I want user apache to have access to login credentials on the sftp server. Our hack is a separate user runs a cronjob every 5 minutes to check if the php app has created the file, and if so, sftp it to the other server using ssh keys with empty passphrase. Not very elegant, but more secure.
In your case, perhaps a user with sudo rights to create ftp accounts can poll the webserver for some "make new account" flag that gets set by your web application.
On Tue, May 30, 2006 at 04:25:03PM +0300, Andy wrote:
Somehow I need to runt these script on the local server(where the application runs) or on the FTP server. Both servers are web-servers, so probably I could make a request to a securized link, where is a script that creates users.
I am not sure that this is the best option. It could be a major security leak. An if it is... then how to do it?
----- Original Message ----- From: "Peer Stefan" <stefan.peer@tiwag.at> To: <suse-security@suse.com> Sent: Tuesday, May 30, 2006 12:58 PM Subject: AW: [suse-security] Create FTP account remotely from web application
Hi Andy,
this looks like you'll need some centralised authentication service. Try set up an ldap server and configure your ftp server to use pam authentication with ldap. You'll still need to set up a local userid for filesystem permissions though.
Good luck Stefan
From: Andy [mailto:frum@ar-sd.net]
Hi to all,
I have a web application from which I need to create some FTP accounts on another server. Between the servers I can have SSH, FTP or WEB(and some other if necessary but I don't think so) access but I don't know how to create the "relation" between the web scripts and account creation and of corse without to compromise the security of the systems.
I need some advice.
Thanks in advance. Andy.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
--
-ashley
Did you try poking at it with a stick?
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I'm no apache security expert, but I would avoid at all costs letting user apache/wwwrun run suid scripts or do anything requiring higher privilages. Could the process that creates the user on the ftp server email the results to the client perhaps? or submit a post to the webserver with a results message? Surely this is not a new problem. You might try the apache.org users list. On Wed, May 31, 2006 at 09:35:42AM +0300, Andy wrote:
Thankx for the quick response. I though also on this solution, my problem remains that I should know the result of user creation.
This user that will be created will belong to a specific group and I have the bash script that creates it. I thought that I can write a php script that runs this bash under "higher rights".
What if I create in apache a link http or https and with user authentication and I put in there this script? Of corse this script will need to run under higher privileges. This script will be accessed only from local LAN so I can cut off all other locations access. Will this be secure?
Regards, Andy.
----- Original Message ----- From: "Ashley Gould" <agould@ucop.edu> To: <suse-security@suse.com> Sent: Tuesday, May 30, 2006 7:30 PM Subject: Re: [suse-security] Create FTP account remotely from web application
We are doing something kind of similar. A php web app creates a file that needs to be transferred to another "sftp" server. But no way do I want user apache to have access to login credentials on the sftp server. Our hack is a separate user runs a cronjob every 5 minutes to check if the php app has created the file, and if so, sftp it to the other server using ssh keys with empty passphrase. Not very elegant, but more secure.
In your case, perhaps a user with sudo rights to create ftp accounts can poll the webserver for some "make new account" flag that gets set by your web application.
On Tue, May 30, 2006 at 04:25:03PM +0300, Andy wrote:
Somehow I need to runt these script on the local server(where the application runs) or on the FTP server. Both servers are web-servers, so probably I could make a request to a securized link, where is a script that creates users.
I am not sure that this is the best option. It could be a major security leak. An if it is... then how to do it?
----- Original Message ----- From: "Peer Stefan" <stefan.peer@tiwag.at> To: <suse-security@suse.com> Sent: Tuesday, May 30, 2006 12:58 PM Subject: AW: [suse-security] Create FTP account remotely from web application
Hi Andy,
this looks like you'll need some centralised authentication service. Try set up an ldap server and configure your ftp server to use pam authentication with ldap. You'll still need to set up a local userid for filesystem permissions though.
Good luck Stefan
From: Andy [mailto:frum@ar-sd.net]
Hi to all,
I have a web application from which I need to create some FTP accounts on another server. Between the servers I can have SSH, FTP or WEB(and some other if necessary but I don't think so) access but I don't know how to create the "relation" between the web scripts and account creation and of corse without to compromise the security of the systems.
I need some advice.
Thanks in advance. Andy.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
--
-ashley
Did you try poking at it with a stick?
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- -ashley Did you try poking at it with a stick?
participants (3)
-
Andy -
Ashley Gould -
Peer Stefan