Run script as root from WebServer
Bill Campbell
freebsd at celestial.com
Mon Sep 22 22:39:33 UTC 2008
On Tue, Sep 23, 2008, Mel wrote:
>On Monday 22 September 2008 22:51:26 Matias Surdi wrote:
>
>> The problem is that some of these scripts deal with configuration files
>> and some other tasks that require root privileges.
>
>There's 2 alternatives I have used:
>1) If the configuration files allow 'includes', then include a file that is
>writeable by the webuser. This will additionally allow you to restrict what
>the webserver can change in the config of this application. Note, that
>configuration files that are modifyable by root only, often are for a reason,
>so this does not improve the security of the service being configured, but it
>takes a fork() and sudo out of the mix.
>
>2) If the changes do not need to be immediate, then you can put it in a queue
>directory and run a script through root's cron that picks up the queue and
>runs the commands there in. You then have the opportunity to remove scripts
>before they are run or even build in authorization.
Another option that we use is to have an XML-RPC server running
as root on localhost, accessible from the web server. This
server is written using the standard python SimpleXMLRPCServer,
and handles a limited number of procedures. Some of these
procedures, such as running ``make'' in the etc/postfix directory,
do not have serious authentication. Others have stronger methods
of authentication and restrictions.
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186
It would be a great improvement if the government respected individuals
rights as much as they respect the rights of the caribous.
More information about the freebsd-questions
mailing list