Mailinglist Archive: yast-devel (246 mails)

< Previous Next >
Re: [yast-devel] WebYaST: Vendor customization
  • From: Ladislav Slezak <lslezak@xxxxxxx>
  • Date: Wed, 19 Aug 2009 16:33:50 +0200
  • Message-id: <4A8C0D4E.2030205@xxxxxxx>
Dne 17.8.2009 13:36, Klaus Kaempf napsal(a):
Yes. As we're already using Ruby and ruby-dbus, its a practical way
without adding new dependencies.
http://kkaempf.blogspot.com/2009/02/driving-d-bus-with-ruby.html shows
an example.

I see, that makes sense.
Thanks for the link.

Using YaPI to leverage existing YaST functionality is the way to go.
I am questioning if adding to YaPI just for WebYaST is a practical way.

I see, so we want to have the REST services YaST independent as much as
possible, right?

[...]
Yes, but a malicious user could do
ExecuteScript("start", "rm -rf /")
instead of
ExecuteScript("start", "/usr/bin/vendor_service")

I think this is pretty artificial. We are talking about a vendor
config file specifying start/stop commands and passing those to the
backend for execution.
If a vendor puts "rm -rf /" in there, back luck.

Yes, that's bad, but I mean something different.

It means that the backend will execute _any_ requested script with root
privileges,
isn't it? So we have to ensure that the DBus backend will accept requests only
from
webyast user so the user with custom services access rights cannot use the
backend
directly (e.g. via dbus-send).


--

Best Regards

Ladislav Slezák
Yast Developer
------------------------------------------------------------------------
SUSE LINUX, s.r.o. e-mail: lslezak@xxxxxxx
Lihovarská 1060/12 tel: +420 284 028 960
190 00 Prague 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/
--
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-devel+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups