From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 06:34:50 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FF6016A420 for ; Thu, 29 Nov 2007 06:34:50 +0000 (UTC) (envelope-from peter@boosten.org) Received: from smtpq1.groni1.gr.home.nl (smtpq1.groni1.gr.home.nl [213.51.130.200]) by mx1.freebsd.org (Postfix) with ESMTP id 7491D13C47E for ; Thu, 29 Nov 2007 06:34:50 +0000 (UTC) (envelope-from peter@boosten.org) Received: from [213.51.130.188] (port=47866 helo=smtp3.groni1.gr.home.nl) by smtpq1.groni1.gr.home.nl with esmtp (Exim 4.60) (envelope-from ) id 1Ixcz0-0001o3-95; Thu, 29 Nov 2007 07:34:46 +0100 Received: from cp268254-a.landg1.lb.home.nl ([84.25.65.88]:4857 helo=ra.egypt.nl) by smtp3.groni1.gr.home.nl with esmtp (Exim 4.60) (envelope-from ) id 1Ixcyx-0000Fl-8u; Thu, 29 Nov 2007 07:34:45 +0100 Received: from www.boosten.org (localhost.egypt.nl [127.0.0.1]) by ra.egypt.nl (Postfix) with ESMTP id A3DB439877; Thu, 29 Nov 2007 07:34:42 +0100 (CET) Received: from 212.159.200.167 (proxying for 172.21.129.43) (SquirrelMail authenticated user peter) by www.boosten.org with HTTP; Thu, 29 Nov 2007 07:34:42 +0100 (CET) Message-ID: <57441.212.159.200.167.1196318082.squirrel@www.boosten.org> In-Reply-To: <474E4CE1.6060809@ibctech.ca> References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <474E4CE1.6060809@ibctech.ca> Date: Thu, 29 Nov 2007 07:34:42 +0100 (CET) From: "Peter Boosten" To: "Steve Bertrand" User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) Cc: Olivier Nicole , freebsd-questions@freebsd.org Subject: Re: Secure remote shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2007 06:34:50 -0000 On Thu, November 29, 2007 06:23, Steve Bertrand wrote: >> What other solution would you suggest to execute a shell remotely as >> root, that could be automated in a script (no password required). > > - have information input into browser > - have web server save information to server disk in non-executable for= mat > - have script (or admin) authenticate/authorize commands to be perform= ed > (recommend doing this manually for a while to ensure you capture as ma= ny > escape type bugs as possible) - have commands via another script > scrubbed/cleaned/tested - have cron perform commands at every X minutes > I once wrote a script for allowing certain persons to add user accounts o= n a box: they just had to create a csv file in a certain place on disk with a certain name, something like this: loginname;Full Name;action where action would be: C (for create new user), D (for delete user), M fo= r creating a new pair of ssh keys. A shell script executed from cron every half hour would then pick up that file and do whatever actions specified in that script. In the case of OP that file could be created (and transported through ssh= ) by the user the web server runs with, while the local root account (if applicable - in case of LDAP that isn't necessary anyway) does its thing... Peter --=20 http://www.boosten.org