Loading ...
Sorry, an error occurred while loading the content.

170Re: client-server forwarding trickery

Expand Messages
  • mbrutsch@intrusion.com
    Apr 4, 2001
    • 0 Attachment
      --- In soaplite@y..., Paul Kulchenko <paulclinger@y...> wrote:
      > Hi, Michael!
      >
      > Interesting question, but it seems like you don't need SOAP server
      > that will forward requests, you just need to have simple proxy that
      > will forward request to SOAP server unavailable from internet.
      > Probably it would be better to do without involving two servers,
      > otherwise you'll need to parse your request twice without visible
      > benefits. Accept HTTP request, check SOAPAction if required (for
      > better security), forward HTTP message to SOAP server, execute
      > message (match SOAPAction with content of the message), send
      response
      > back and finally forward this response to the destination. You may
      > also provide several transports and ticket-based authentication, if
      > http is unavailable for you for any reason, you may send your
      request
      > by smtp or even ftp as soon as you have valid ticket. Am I missing
      > something?

      No, you have the essence of the problem. I just don't know how to go
      about writing the 'simple proxy that will forward request to SOAP
      server' (and forward results back to the Internet), so I wanted to
      exhaust existing methods before venturing off into unknown
      territory...next stop, Perl Monks.

      Thanks for your help!

      Michael

      >
      > Best wishes, Paul.
      >
      > --- "Brutsch, Michael" <mbrutsch@i...> wrote:
      > > I'm trying to solve a security issue with running CGIs as root.
      I'm
      > >
      > > writing an app to remotely manage a linux box, and I'd like to use
      > > SOAP.
      > > Problem is, the server needs to run as root (or suid scripts, or
      > > in
      > > *some* way have access to root privs) to perform sysadmin
      > > functions:
      > >
      > > Remote SOAP client <-soap-> Local SOAP server
      > >
      > > What I'd like to do, is place another process in-between, which
      has
      > > NO
      > > privileges, and acts as a 'forwarder' between the remote client
      and
      > > the
      > > privileged server:
      > >
      > > Remote SOAP client <-soap-> Local 'forwarder' <----> Local SOAP
      > > server
      > >
      > > This way, the only connection to the outside world is the local
      > > forwarder, and since it has no privs, compromising it would not
      > > compromise the box (i.e., buffer overflow drops you into a
      'nobody'
      > >
      > > shell, instead of a 'root' shell).
      > >
      > > I have the first example working beautifully, with several
      > > transports.
      > >
      > > My question: Is there an easy way to code a SOAP::Lite
      > > 'client/server'
      > > that can sit between a client and a server, and just forward
      > > requests
      > > (and results) back and forth?
      > >
      > > ------------------------ Yahoo! Groups Sponsor
      > >
      > > To unsubscribe from this group, send an email to:
      > > soaplite-unsubscribe@y...
      > >
      > >
      > >
      > > Your use of Yahoo! Groups is subject to
      > > http://docs.yahoo.com/info/terms/
      > >
      > >
      >
      >
      > __________________________________________________
      > Do You Yahoo!?
      > Get email at your own domain with Yahoo! Mail.
      > http://personal.mail.yahoo.com/
    • Show all 9 messages in this topic