Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [suse-security] Create FTP account remotely from web application
  • From: Ashley Gould <agould@xxxxxxxx>
  • Date: Tue, 30 May 2006 09:30:59 -0700
  • Message-id: <20060530163059.GB5580@xxxxxxxx>
We are doing something kind of similar. A php web app creates a file that
needs to be transferred to another "sftp" server. But no way do I
want user apache to have access to login credentials on the sftp server.
Our hack is a separate user runs a cronjob every 5 minutes to check if
the php app has created the file, and if so, sftp it to the other server
using ssh keys with empty passphrase. Not very elegant, but more secure.

In your case, perhaps a user with sudo rights to create ftp accounts
can poll the webserver for some "make new account" flag that gets set
by your web application.


On Tue, May 30, 2006 at 04:25:03PM +0300, Andy wrote:
> Somehow I need to runt these script on the local server(where the
> application runs) or on the FTP server. Both servers are web-servers, so
> probably I could make a request to a securized link, where is a script that
> creates users.
>
> I am not sure that this is the best option. It could be a major security
> leak.
> An if it is... then how to do it?
>
>
> ----- Original Message -----
> From: "Peer Stefan" <stefan.peer@xxxxxxxx>
> To: <suse-security@xxxxxxxx>
> Sent: Tuesday, May 30, 2006 12:58 PM
> Subject: AW: [suse-security] Create FTP account remotely from web
> application
>
>
> Hi Andy,
>
> this looks like you'll need some centralised authentication service. Try
> set up an ldap server and configure your ftp server to use pam
> authentication with ldap.
> You'll still need to set up a local userid for filesystem permissions
> though.
>
> Good luck
> Stefan
>
> >From: Andy [mailto:frum@xxxxxxxxx]
> >
> >Hi to all,
> >
> >I have a web application from which I need to create some FTP
> >accounts on another server.
> >Between the servers I can have SSH, FTP or WEB(and some other
> >if necessary but I don't think so) access but I don't know
> >how to create the "relation" between the web scripts and
> >account creation and of corse without to compromise the
> >security of the systems.
> >
> >I need some advice.
> >
> >Thanks in advance.
> >Andy.
> >
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here

--

-ashley

Did you try poking at it with a stick?


< Previous Next >
Follow Ups
References