Dne 17.8.2009 13:36, Klaus Kaempf napsal(a):
Yes. As we're already using Ruby and ruby-dbus, its a practical way without adding new dependencies. http://kkaempf.blogspot.com/2009/02/driving-d-bus-with-ruby.html shows an example.
I see, that makes sense. Thanks for the link.
Using YaPI to leverage existing YaST functionality is the way to go. I am questioning if adding to YaPI just for WebYaST is a practical way.
I see, so we want to have the REST services YaST independent as much as possible, right? [...]
Yes, but a malicious user could do ExecuteScript("start", "rm -rf /") instead of ExecuteScript("start", "/usr/bin/vendor_service")
I think this is pretty artificial. We are talking about a vendor config file specifying start/stop commands and passing those to the backend for execution. If a vendor puts "rm -rf /" in there, back luck.
Yes, that's bad, but I mean something different. It means that the backend will execute _any_ requested script with root privileges, isn't it? So we have to ensure that the DBus backend will accept requests only from webyast user so the user with custom services access rights cannot use the backend directly (e.g. via dbus-send). -- Best Regards Ladislav Slezák Yast Developer ------------------------------------------------------------------------ SUSE LINUX, s.r.o. e-mail: lslezak@suse.cz Lihovarská 1060/12 tel: +420 284 028 960 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org