Mailinglist Archive: yast-devel (246 mails)

< Previous Next >
Re: [yast-devel] WebYaST: Vendor customization
  • From: Jiří Suchomel <jsuchome@xxxxxxx>
  • Date: Fri, 14 Aug 2009 07:44:11 +0200
  • Message-id: <200908140744.11196.jsuchome@xxxxxxx>
On Thursday 13 of August 2009 21:51:35 Klaus Kaempf wrote:
* Jiří Suchomel <jsuchome@xxxxxxx> [Aug 13. 2009 18:37]:
The scripts (either vendor specific ones or init scripts) should be
called by YaPI because of SCR running with root privilliegies. Or maybe
there is some other way, but I don't know about it.

Well, one just need a service running as root behind D-Bus. It doesn't
have to be SCR.

Yes, we just need this. But do we currently have such service, other than SCR?

So you mean that parsing the config file could be done on ruby level?
That is possible, but how should the results (the example of result is
path to executable script) be passed to YaPI layer? As a parameter?

Sure. Just as SCR::Execute(.bash) gets the command as parameter.

Well, yes, at the end. But I thought you are arguing against SCR...?

This is a security risk, as the one who has the right to operate
services gets the right to execute custom script....

Sure, executing the script is the main purpose of (gettings rights to)

But there are risks and risks.

The security argument is bound to YaPI usage, if there's no YaPI and
everything is done inside rest, than there's no questioning, of course. But
YaPI gives nice access to SCR and SCR is root-running service behind D-BUS.

With YaPI, I could only expose a function to start/stop given service, not to
run arbitrary script. Having function ExecuteScript
("start", "path_to_script"), every user with rights to ExecuteScript can run
arbitrary stuff. With function ExecuteScript ("start", "my_app"), user with
ExecuteScript rights can really only operate "my_app", when the information
about my_app's start script is stored in a file with rights 600 and parsed
directly by ExecuteScript function.


Jiri Suchomel

SUSE LINUX, s.r.o. e-mail: jsuchome@xxxxxxx
Lihovarská 1060/12 tel: +420 284 028 960
190 00 Praha 9, Czech Republic
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-devel+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups