Yes, I know how it work I study when I have problems. But this architecture mean, that user yastws has big permissions on that system like changing installed software (or uninstall it) or settings some basic system settings and this user run service which is reachable from network. So for me is still quite problem that if someone hack server, then he owns many permissions and then is quite easy get root account. As example I think that is possible to share via samba important data or stop important many services or change user permissions...which can change permission also for yastws itself and can allow ssh login to easy backdoor. If we still use current solution then we must ensure that our rest-service cannot avoid checking permissions for logged user or run custom command as rest-service user is strong user. JR Stefan Schubert wrote:
P.S.: Here is a general description how it works:
http://en.opensuse.org/YaST/Web#General_2
Greetings Stefan
Stefan Schubert schrieb:
Hi, nice ideas which are VERY interesting.
Some history:
When we have started the WebYaST project only the SCR DBUS interface of YaST has been available to communicate with YaST. So mostly all calls have been done via the SCR::Execute by starting YaST modules in the commonline mode. For that these rights have been set in the RPM post install script for the user "yastws". In order to improve the security only a "white list" of commands are valid while calling SCR::Execute (have a look to "def execute (arguments, environment=[] )" in webservice/lib/scr.rb)
Now as more and more YaST modules provide a DBUS interface these SCR:Execute calls are no longer needed. ( I think we will change this step by step ). But now each webservice plugin has to set the special rights by his own for the user "yastws". ( I assume while installing the package) So the user "yastws" has only rights for special YaST resources. From my point of view this would fulfill the security issue. But may be I am wrong....
I have asked Ludwig concerning this concept and at least he has NOT said NO :-) (Ludwig I hope you have no objections to add you again to the discussion. Perhaps I have missed something ).
To the other ideas:
Josef Reidinger schrieb:
Hi, I study permissions problem on 11.1 in language module. I found (with mvidner help) root of problem in yast dbus backend call from yast-webservice. I check in webservice if user has rights (in this case root) and then I call to dbus. Problem is that dbus backend check not again root but again caller which is yastws user. So first solution which work is grant yastws all rights in rpm post-script as we do for root. But I think that this is quite big security issue as this mean that anyone who crack into webservice has all rights because he can act as yastws user with all rights to yast backend. This should be somehow solved. MVidner have idea that we could run backend as logged user instead yastws. This has problem that we must somehow handle sending passwords and also multiuser process (another user need maybe another port).
In the future we will have one special (unique) port for the YaST-webservice which will be applied by an organisation ( I have forgotten the name. Klaus has said that he will take care about :-) ) So variable port addresses will be not a solution here.
My idea is use ssh with keys authentication and execute dbus call
via this ssh, so then we can act as logged user and not as yastws.
I am not sure if we are really improve our security here. Ludwig what you are thinking about this suggestion?
Any other ideas or comments? thanks JR
Greetings Stefan
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org