LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Simple script to Monitor LVS via Web

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Simple script to Monitor LVS via Web
From: Luca Maranzano <liuk001@xxxxxxxxx>
Date: Wed, 12 Oct 2005 16:33:27 +0200
Jeremy, this is a good point. I wrote it as a quick and dirty hack
without security in mind. It is used on the internal net from trusted
users who indeed have root access to the servers ;-)

However, sudo is configured to run only /sbin/ipvsadm from www-data
user, so I think that /bin/rm could not be executed.

Cheers,
Luca

PS: may be we are going OT, pls reply to me directly

On 12/10/05, Jeremy Kerr <jk@xxxxxxxxxx> wrote:
> > eg: http://example.com/script.php?resolve_dns=1&dnsflag=;rm+-rf+/
>
> Sorry, that should have been:
>
> http://example.com/script.php?resolve_dns=1&dns_flag=;sudo+rm+-rf+/
>
> which will do the `rm -rf /` as root.
>
>
> Jeremy
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>

<Prev in Thread] Current Thread [Next in Thread>