And if anyone would like to know what he -really- said, in context, read the article online at: http://www.scoworld.com/html/body_aug98net.html Ben: The set-up described there is fairly secure. (Although I'd used ssh/scp instead of the r_services). The .rhosts files allow "webserver" to log in from only 1 machine on the INTRA-net, from one specific IP address, which is protected (presumably) by a firewall. To top it off, the "webserver" user has no valid shell or password so anyone that gets into the account isn't going to be going anywhere with it. I don't see this as being anything different than having a root window open on your desktop, with ssh installed on all your machines. (Someone sits down, ssh's to another machine and *poof*, they're root.) In fact, it's more secure since user "webserver" was only given enough permission to monitor rudimentary files. Granted, some of the information in those files may allow an intruder to gain further access but if they're sitting at the administrators machine they've already got that. Since the CGI is being accessed by the system administrator, your remark about the "user" being able to plug in any host name is plain silly. If they've got access to the CGI you're ALREADY compromised. Besides, from the shell I've got MORE than enough rope to hang myself. If I'm trying to administer a remote machine over the web I want that same length of rope. I'll grant you this much: It's not going to be the most secure setup in the world, and I'd much prefer netconsole/nocol, but as described the setup in that article is nowhere near as bad as your analysis implied. -- Joe H. Technical Support General Support: supportat_private Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net On Wed, 11 Nov 1998, Ben Laurie wrote: > I don't use SCO any more (well, I can give it up any time, honest), but > I still get their mags. So, this morning I was leafing through SCO > World, August '98 and September/October '98. Therein we find "Nuthin' > but Net", "Administering Your System via the Web" by Jim Mohr. This > suggests so many really Bad Things it is difficult to know where to > start, but here goes. > > 1. First, set up .rhosts on all your servers, so the webserver can log > in and do stuff. > > 2. Let the user specify the server name as a CGI parameter. Any name > they like. > > 3. Now, using perl, pass that name, unvetted, to rsh like so: > open(MSG,'rsh '.$server.' other stuff'); > > Wonderful. I wonder if we can find a SCO server running this stuff? > > Oh, BTW, here's a particular gem I shall treasure forever: "Lowering > security to make Web access easier is less of a problem". Yeah, right! > > Cheers, > > Ben. > > -- > Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member > Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ > and Technical Director|Email: benat_private | > A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ > London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/ >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:08 PDT