Run script as root from WebServer

Matias Surdi matiassurdi at
Tue Sep 23 09:35:41 UTC 2008

Bill Campbell escribió:
> On Tue, Sep 23, 2008, Mel wrote:
>> On Monday 22 September 2008 22:51:26 Matias Surdi wrote:
>>> The problem is that some of these scripts deal with configuration files
>>> and some other tasks that require root privileges.
>> There's 2 alternatives I have used:
>> 1) If the configuration files allow 'includes', then include a file that is 
>> writeable by the webuser. This will additionally allow you to restrict what 
>> the webserver can change in the config of this application. Note, that 
>> configuration files that are modifyable by root only, often are for a reason, 
>> so this does not improve the security of the service being configured, but it 
>> takes a fork() and sudo out of the mix.
>> 2) If the changes do not need to be immediate, then you can put it in a queue 
>> directory and run a script through root's cron that picks up the queue and 
>> runs the commands there in. You then have the opportunity to remove scripts 
>> before they are run or even build in authorization.
> Another option that we use is to have an XML-RPC server running
> as root on localhost, accessible from the web server.  This
> server is written using the standard python SimpleXMLRPCServer,
> and handles a limited number of procedures.  Some of these
> procedures, such as running ``make'' in the etc/postfix directory,
> do not have serious authentication.  Others have stronger methods
> of authentication and restrictions.
> Bill

This sounds as a good option also, but, How do you avoid any user (maybe 
non root) logged into the system to make calls to your xmlrpc server?

More information about the freebsd-questions mailing list