Date: Thu, 29 Nov 2007 07:34:42 +0100 (CET) From: "Peter Boosten" <peter@boosten.org> To: "Steve Bertrand" <iaccounts@ibctech.ca> Cc: Olivier Nicole <on@cs.ait.ac.th>, freebsd-questions@freebsd.org Subject: Re: Secure remote shell Message-ID: <57441.212.159.200.167.1196318082.squirrel@www.boosten.org> In-Reply-To: <474E4CE1.6060809@ibctech.ca> References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <474E4CE1.6060809@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, November 29, 2007 06:23, Steve Bertrand wrote: >> What other solution would you suggest to execute a shell remotely as >> root, that could be automated in a script (no password required). > > - have information input into browser > - have web server save information to server disk in non-executable for= mat > - have script (or admin) authenticate/authorize commands to be perform= ed > (recommend doing this manually for a while to ensure you capture as ma= ny > escape type bugs as possible) - have commands via another script > scrubbed/cleaned/tested - have cron perform commands at every X minutes > I once wrote a script for allowing certain persons to add user accounts o= n a box: they just had to create a csv file in a certain place on disk with a certain name, something like this: loginname;Full Name;action where action would be: C (for create new user), D (for delete user), M fo= r creating a new pair of ssh keys. A shell script executed from cron every half hour would then pick up that file and do whatever actions specified in that script. In the case of OP that file could be created (and transported through ssh= ) by the user the web server runs with, while the local root account (if applicable - in case of LDAP that isn't necessary anyway) does its thing... Peter --=20 http://www.boosten.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57441.212.159.200.167.1196318082.squirrel>