Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [suse-security] Create FTP account remotely from web application
  • From: Ashley Gould <agould@xxxxxxxx>
  • Date: Wed, 31 May 2006 14:12:49 -0700
  • Message-id: <20060531211249.GA9934@xxxxxxxx>
I'm no apache security expert, but I would avoid at all costs letting
user apache/wwwrun run suid scripts or do anything requiring higher
privilages.

Could the process that creates the user on the ftp server email the
results to the client perhaps? or submit a post to the webserver with a
results message?

Surely this is not a new problem. You might try the apache.org users
list.



On Wed, May 31, 2006 at 09:35:42AM +0300, Andy wrote:
> Thankx for the quick response.
> I though also on this solution, my problem remains that I should know the
> result of user creation.
>
> This user that will be created will belong to a specific group and I have
> the bash script that creates it. I thought that I can write a php script
> that runs this bash under "higher rights".
>
> What if I create in apache a link http or https and with user authentication
> and I put in there this script? Of corse this script will need to run under
> higher privileges. This script will be accessed only from local LAN so I can
> cut off all other locations access. Will this be secure?
>
> Regards,
> Andy.
>
> ----- Original Message -----
> From: "Ashley Gould" <agould@xxxxxxxx>
> To: <suse-security@xxxxxxxx>
> Sent: Tuesday, May 30, 2006 7:30 PM
> Subject: Re: [suse-security] Create FTP account remotely from web
> application
>
>
> >We are doing something kind of similar. A php web app creates a file that
> >needs to be transferred to another "sftp" server. But no way do I
> >want user apache to have access to login credentials on the sftp server.
> >Our hack is a separate user runs a cronjob every 5 minutes to check if
> >the php app has created the file, and if so, sftp it to the other server
> >using ssh keys with empty passphrase. Not very elegant, but more secure.
> >
> >In your case, perhaps a user with sudo rights to create ftp accounts
> >can poll the webserver for some "make new account" flag that gets set
> >by your web application.
> >
> >
> >On Tue, May 30, 2006 at 04:25:03PM +0300, Andy wrote:
> >>Somehow I need to runt these script on the local server(where the
> >>application runs) or on the FTP server. Both servers are web-servers, so
> >>probably I could make a request to a securized link, where is a script
> >>that
> >>creates users.
> >>
> >>I am not sure that this is the best option. It could be a major security
> >>leak.
> >>An if it is... then how to do it?
> >>
> >>
> >>----- Original Message -----
> >>From: "Peer Stefan" <stefan.peer@xxxxxxxx>
> >>To: <suse-security@xxxxxxxx>
> >>Sent: Tuesday, May 30, 2006 12:58 PM
> >>Subject: AW: [suse-security] Create FTP account remotely from web
> >>application
> >>
> >>
> >>Hi Andy,
> >>
> >>this looks like you'll need some centralised authentication service. Try
> >>set up an ldap server and configure your ftp server to use pam
> >>authentication with ldap.
> >>You'll still need to set up a local userid for filesystem permissions
> >>though.
> >>
> >>Good luck
> >>Stefan
> >>
> >>>From: Andy [mailto:frum@xxxxxxxxx]
> >>>
> >>>Hi to all,
> >>>
> >>>I have a web application from which I need to create some FTP
> >>>accounts on another server.
> >>>Between the servers I can have SSH, FTP or WEB(and some other
> >>>if necessary but I don't think so) access but I don't know
> >>>how to create the "relation" between the web scripts and
> >>>account creation and of corse without to compromise the
> >>>security of the systems.
> >>>
> >>>I need some advice.
> >>>
> >>>Thanks in advance.
> >>>Andy.
> >>>
> >>
> >>--
> >>Check the headers for your unsubscription address
> >>For additional commands, e-mail: suse-security-help@xxxxxxxx
> >>Security-related bug reports go to security@xxxxxxx, not here
> >>
> >>
> >>
> >>
> >>--
> >>Check the headers for your unsubscription address
> >>For additional commands, e-mail: suse-security-help@xxxxxxxx
> >>Security-related bug reports go to security@xxxxxxx, not here
> >
> >--
> >
> >-ashley
> >
> >Did you try poking at it with a stick?
> >
> >
> >--
> >Check the headers for your unsubscription address
> >For additional commands, e-mail: suse-security-help@xxxxxxxx
> >Security-related bug reports go to security@xxxxxxx, not here
> >
> >
> >
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here

--

-ashley

Did you try poking at it with a stick?


< Previous Next >