Date: Mon, 22 Sep 2008 14:25:49 -0700 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: Matias Surdi <matiassurdi@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Run script as root from WebServer Message-ID: <20080922212549.GH66228@hal.rescomp.berkeley.edu> In-Reply-To: <gb90gf$ev7$1@ger.gmane.org> References: <gb90gf$ev7$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--9iyR+p8Z2cn535Lj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Matias Surdi wrote: > I'm using mod_python3 and apache22 to create some scripts and access them= =20 > through a web interface. >=20 > The problem is that some of these scripts deal with configuration files a= nd=20 > some other tasks that require root privileges. >=20 > In the past, I've solved this issue by using sudo and allowing just the= =20 > commands I want to allow in the sudoers file to the apache user.But I'm= =20 > wondering if this is the better way to do what I want to do. >=20 > What would you do in such a situation? I think sudo is pretty much _the_ way to accomplish this. Not that it would be your only option per se, but I think it's definitely your best option. We maintain a number of scripts that serve very restricted purposes for the use of our web user with sudo. www WIFIROUTERS =3D (root) NOPASSWD: WIRELESS This allows the www user to run the wireless connection setup/teardown scripts as root without typing a password on wireless routers. We use this to allow a transparent proxy web-app to move the user to the "authenticated" firewall context. Our sudoers file (shared across roughly 100 machines) is littered with other examples ranging from allowing users to sa-learn in mailman to nagios monitoring and remote sync jobs for DNS/DHCP. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --9iyR+p8Z2cn535Lj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJI2A1dAAoJEIGh6j3cHUNPKaYP/1fpEeey4sSXi2bHFCQIcc5j 3q5oNIBrqE5X8xRg/Zo5gYULSNRBidKH1yygVF11F6jbIm0+SQCAMxfIm3b5/CWq /XXoV2TlQlcFrWvpyQ09eey6LjpzV3OugnH3YevFG5wBYThhTe/g3ubTBupdmdC4 KlamN7y5uy/1XeJsecjfmiGLVgfpqrWqv7fu7hN9lsbTYq49cKBB4EYGDq/hqA+q 57IXt7k0gONT5hpRC8zkL3/QAAVKDYHH0eu3gf5vbw5ZmFov50n+gLcSxtCqjSjC pwHS1AfYDO8/Q6RKjumR+1V1dPYmd5omp7vBzrkhkO/HJ9lz2SHAI1K0hzsCN1cC MaDKNvL++K8WxyoRdje8bDxplOtv9odGtsYxToqO47/Pivb+iEF5OfkT5fJV0eW5 vKfpIKg+Sg3zRFVnZYUT/u7YAA4v7vVHLTz7PyO1syIJaK5hjpPwLa7E34Vhjedu WS/OJjyzMqKYXOcu/OhYC4pQcXrEmZLIpILnx4FUueTfcOLDSoQ2KfKAv32ouRmI OBeXqK1pnviHyK0L0yZ3LyF0TBIBdQbNUdO+lF6JDaepo9exCQenv9Tnnk827vrl CSibuM9BdMDn11810ENIQP2MD6DA5x91PIcATbcovvv7fdE662c0ZU/90ELHVXcI xv3bya4bN6fB2mmLZW0v =+APB -----END PGP SIGNATURE----- --9iyR+p8Z2cn535Lj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080922212549.GH66228>