From owner-freebsd-questions@FreeBSD.ORG Tue Sep 23 09:35:41 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B116F1065676 for ; Tue, 23 Sep 2008 09:35:41 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 3E0328FC15 for ; Tue, 23 Sep 2008 09:35:41 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1Ki4J1-0004OU-La for freebsd-questions@freebsd.org; Tue, 23 Sep 2008 09:35:39 +0000 Received: from 35.red-80-34-206.staticip.rima-tde.net ([80.34.206.35]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 23 Sep 2008 09:35:39 +0000 Received: from matiassurdi by 35.red-80-34-206.staticip.rima-tde.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 23 Sep 2008 09:35:39 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Matias Surdi Date: Tue, 23 Sep 2008 11:36:09 +0200 Lines: 33 Message-ID: References: <200809230032.00517.fbsd.questions@rachie.is-a-geek.net> <20080922223932.GA23640@ayn.mi.celestial.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 35.red-80-34-206.staticip.rima-tde.net User-Agent: Thunderbird 2.0.0.16 (X11/20080724) In-Reply-To: <20080922223932.GA23640@ayn.mi.celestial.com> Sender: news Subject: Re: Run script as root from WebServer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2008 09:35:41 -0000 Bill Campbell escribió: > On Tue, Sep 23, 2008, Mel wrote: >> On Monday 22 September 2008 22:51:26 Matias Surdi wrote: >> >>> The problem is that some of these scripts deal with configuration files >>> and some other tasks that require root privileges. >> There's 2 alternatives I have used: >> 1) If the configuration files allow 'includes', then include a file that is >> writeable by the webuser. This will additionally allow you to restrict what >> the webserver can change in the config of this application. Note, that >> configuration files that are modifyable by root only, often are for a reason, >> so this does not improve the security of the service being configured, but it >> takes a fork() and sudo out of the mix. >> >> 2) If the changes do not need to be immediate, then you can put it in a queue >> directory and run a script through root's cron that picks up the queue and >> runs the commands there in. You then have the opportunity to remove scripts >> before they are run or even build in authorization. > > Another option that we use is to have an XML-RPC server running > as root on localhost, accessible from the web server. This > server is written using the standard python SimpleXMLRPCServer, > and handles a limited number of procedures. Some of these > procedures, such as running ``make'' in the etc/postfix directory, > do not have serious authentication. Others have stronger methods > of authentication and restrictions. > > Bill This sounds as a good option also, but, How do you avoid any user (maybe non root) logged into the system to make calls to your xmlrpc server?