Date: Mon, 22 Sep 2008 15:39:32 -0700 From: Bill Campbell <freebsd@celestial.com> To: freebsd-questions@freebsd.org Subject: Re: Run script as root from WebServer Message-ID: <20080922223932.GA23640@ayn.mi.celestial.com> In-Reply-To: <200809230032.00517.fbsd.questions@rachie.is-a-geek.net> References: <gb90gf$ev7$1@ger.gmane.org> <200809230032.00517.fbsd.questions@rachie.is-a-geek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 23, 2008, Mel wrote: >On Monday 22 September 2008 22:51:26 Matias Surdi wrote: > >> The problem is that some of these scripts deal with configuration files >> and some other tasks that require root privileges. > >There's 2 alternatives I have used: >1) If the configuration files allow 'includes', then include a file that is >writeable by the webuser. This will additionally allow you to restrict what >the webserver can change in the config of this application. Note, that >configuration files that are modifyable by root only, often are for a reason, >so this does not improve the security of the service being configured, but it >takes a fork() and sudo out of the mix. > >2) If the changes do not need to be immediate, then you can put it in a queue >directory and run a script through root's cron that picks up the queue and >runs the commands there in. You then have the opportunity to remove scripts >before they are run or even build in authorization. Another option that we use is to have an XML-RPC server running as root on localhost, accessible from the web server. This server is written using the standard python SimpleXMLRPCServer, and handles a limited number of procedures. Some of these procedures, such as running ``make'' in the etc/postfix directory, do not have serious authentication. Others have stronger methods of authentication and restrictions. Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 It would be a great improvement if the government respected individuals rights as much as they respect the rights of the caribous.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080922223932.GA23640>