Mailinglist Archive: yast-devel (246 mails)

< Previous Next >
Re: [yast-devel] WebYaST: Vendor customization
  • From: Ladislav Slezak <lslezak@xxxxxxx>
  • Date: Wed, 19 Aug 2009 16:33:50 +0200
  • Message-id: <4A8C0D4E.2030205@xxxxxxx>
Dne 17.8.2009 13:36, Klaus Kaempf napsal(a):
Yes. As we're already using Ruby and ruby-dbus, its a practical way
without adding new dependencies. shows
an example.

I see, that makes sense.
Thanks for the link.

Using YaPI to leverage existing YaST functionality is the way to go.
I am questioning if adding to YaPI just for WebYaST is a practical way.

I see, so we want to have the REST services YaST independent as much as
possible, right?

Yes, but a malicious user could do
ExecuteScript("start", "rm -rf /")
instead of
ExecuteScript("start", "/usr/bin/vendor_service")

I think this is pretty artificial. We are talking about a vendor
config file specifying start/stop commands and passing those to the
backend for execution.
If a vendor puts "rm -rf /" in there, back luck.

Yes, that's bad, but I mean something different.

It means that the backend will execute _any_ requested script with root
isn't it? So we have to ensure that the DBus backend will accept requests only
webyast user so the user with custom services access rights cannot use the
directly (e.g. via dbus-send).


Best Regards

Ladislav Slezák
Yast Developer
SUSE LINUX, s.r.o. e-mail: lslezak@xxxxxxx
Lihovarská 1060/12 tel: +420 284 028 960
190 00 Prague 9 fax: +420 284 028 951
Czech Republic
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-devel+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups