Date: Tue, 23 Sep 2008 11:36:09 +0200 From: Matias Surdi <matiassurdi@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Run script as root from WebServer Message-ID: <gbad91$9p4$1@ger.gmane.org> In-Reply-To: <20080922223932.GA23640@ayn.mi.celestial.com> References: <gb90gf$ev7$1@ger.gmane.org> <200809230032.00517.fbsd.questions@rachie.is-a-geek.net> <20080922223932.GA23640@ayn.mi.celestial.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Campbell escribió: > On Tue, Sep 23, 2008, Mel wrote: >> On Monday 22 September 2008 22:51:26 Matias Surdi wrote: >> >>> The problem is that some of these scripts deal with configuration files >>> and some other tasks that require root privileges. >> There's 2 alternatives I have used: >> 1) If the configuration files allow 'includes', then include a file that is >> writeable by the webuser. This will additionally allow you to restrict what >> the webserver can change in the config of this application. Note, that >> configuration files that are modifyable by root only, often are for a reason, >> so this does not improve the security of the service being configured, but it >> takes a fork() and sudo out of the mix. >> >> 2) If the changes do not need to be immediate, then you can put it in a queue >> directory and run a script through root's cron that picks up the queue and >> runs the commands there in. You then have the opportunity to remove scripts >> before they are run or even build in authorization. > > Another option that we use is to have an XML-RPC server running > as root on localhost, accessible from the web server. This > server is written using the standard python SimpleXMLRPCServer, > and handles a limited number of procedures. Some of these > procedures, such as running ``make'' in the etc/postfix directory, > do not have serious authentication. Others have stronger methods > of authentication and restrictions. > > Bill This sounds as a good option also, but, How do you avoid any user (maybe non root) logged into the system to make calls to your xmlrpc server?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?gbad91$9p4$1>