[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proper and secure way to execute privledged code via a web interface
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Proper and secure way to execute privledged code via a web interface
- From: Nick Holland <nick_(_at_)_holland-consulting_(_dot_)_net>
- Date: Fri, 22 Apr 2005 22:04:40 -0400
Geoff White wrote:
> This is a question of programming style. If one is executing code or
> scripts that must perform
> wheel or root processes (ifconfig, adduser, system restart, etc) from a
> web form (the user must first login and the channel is SSL) what is the
> safest way to go about this.
> Should I encapsulate all of the "privileged" stuff into a single
> subroutine/script that I then sudo for the web server?
> (Here I can boundary check and closely scrutinize all arguments coming
> in at a centralized place) or is there a better way. What is " industry
> standard" and what it the RIGHT THING?
> Are there any books/ sites/ papers that talk about this?
I don't think there is any one answer to this question, unfortunately.
You look at your application, and try to come up with the biggest
"safety gap" you can manage.
The safest way is to not do it. Everything else is a compromise.
That's where this business gets really exciting, really fast.
Personally, I'd try for something along the lines of having your web app
write a file to a very small writable place within its chroot, which
would then be read, sanitized and processed externally by another app
with another user. But, this is not possible for all applications,
(warning: there's a reason I don't work in src/. I may have just
demonstrated it. :)
Visit your host, monkey.org