Run script as root from WebServer
Matias Surdi
matiassurdi at gmail.com
Tue Sep 23 09:35:41 UTC 2008
Bill Campbell escribió:
> On Tue, Sep 23, 2008, Mel wrote:
>> On Monday 22 September 2008 22:51:26 Matias Surdi wrote:
>>
>>> The problem is that some of these scripts deal with configuration files
>>> and some other tasks that require root privileges.
>> There's 2 alternatives I have used:
>> 1) If the configuration files allow 'includes', then include a file that is
>> writeable by the webuser. This will additionally allow you to restrict what
>> the webserver can change in the config of this application. Note, that
>> configuration files that are modifyable by root only, often are for a reason,
>> so this does not improve the security of the service being configured, but it
>> takes a fork() and sudo out of the mix.
>>
>> 2) If the changes do not need to be immediate, then you can put it in a queue
>> directory and run a script through root's cron that picks up the queue and
>> runs the commands there in. You then have the opportunity to remove scripts
>> before they are run or even build in authorization.
>
> Another option that we use is to have an XML-RPC server running
> as root on localhost, accessible from the web server. This
> server is written using the standard python SimpleXMLRPCServer,
> and handles a limited number of procedures. Some of these
> procedures, such as running ``make'' in the etc/postfix directory,
> do not have serious authentication. Others have stronger methods
> of authentication and restrictions.
>
> Bill
This sounds as a good option also, but, How do you avoid any user (maybe
non root) logged into the system to make calls to your xmlrpc server?
More information about the freebsd-questions
mailing list