From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 21:25:50 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C6111065670 for ; Mon, 22 Sep 2008 21:25:50 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 052358FC0A for ; Mon, 22 Sep 2008 21:25:49 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id C73113C0543; Mon, 22 Sep 2008 14:25:49 -0700 (PDT) Date: Mon, 22 Sep 2008 14:25:49 -0700 From: Christopher Cowart To: Matias Surdi Message-ID: <20080922212549.GH66228@hal.rescomp.berkeley.edu> Mail-Followup-To: Matias Surdi , freebsd-questions@freebsd.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="9iyR+p8Z2cn535Lj" Content-Disposition: inline In-Reply-To: Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: Run script as root from WebServer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 21:25:50 -0000 --9iyR+p8Z2cn535Lj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Matias Surdi wrote: > I'm using mod_python3 and apache22 to create some scripts and access them= =20 > through a web interface. >=20 > The problem is that some of these scripts deal with configuration files a= nd=20 > some other tasks that require root privileges. >=20 > In the past, I've solved this issue by using sudo and allowing just the= =20 > commands I want to allow in the sudoers file to the apache user.But I'm= =20 > wondering if this is the better way to do what I want to do. >=20 > What would you do in such a situation? I think sudo is pretty much _the_ way to accomplish this. Not that it would be your only option per se, but I think it's definitely your best option. We maintain a number of scripts that serve very restricted purposes for the use of our web user with sudo. www WIFIROUTERS =3D (root) NOPASSWD: WIRELESS This allows the www user to run the wireless connection setup/teardown scripts as root without typing a password on wireless routers. We use this to allow a transparent proxy web-app to move the user to the "authenticated" firewall context. Our sudoers file (shared across roughly 100 machines) is littered with other examples ranging from allowing users to sa-learn in mailman to nagios monitoring and remote sync jobs for DNS/DHCP. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --9iyR+p8Z2cn535Lj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJI2A1dAAoJEIGh6j3cHUNPKaYP/1fpEeey4sSXi2bHFCQIcc5j 3q5oNIBrqE5X8xRg/Zo5gYULSNRBidKH1yygVF11F6jbIm0+SQCAMxfIm3b5/CWq /XXoV2TlQlcFrWvpyQ09eey6LjpzV3OugnH3YevFG5wBYThhTe/g3ubTBupdmdC4 KlamN7y5uy/1XeJsecjfmiGLVgfpqrWqv7fu7hN9lsbTYq49cKBB4EYGDq/hqA+q 57IXt7k0gONT5hpRC8zkL3/QAAVKDYHH0eu3gf5vbw5ZmFov50n+gLcSxtCqjSjC pwHS1AfYDO8/Q6RKjumR+1V1dPYmd5omp7vBzrkhkO/HJ9lz2SHAI1K0hzsCN1cC MaDKNvL++K8WxyoRdje8bDxplOtv9odGtsYxToqO47/Pivb+iEF5OfkT5fJV0eW5 vKfpIKg+Sg3zRFVnZYUT/u7YAA4v7vVHLTz7PyO1syIJaK5hjpPwLa7E34Vhjedu WS/OJjyzMqKYXOcu/OhYC4pQcXrEmZLIpILnx4FUueTfcOLDSoQ2KfKAv32ouRmI OBeXqK1pnviHyK0L0yZ3LyF0TBIBdQbNUdO+lF6JDaepo9exCQenv9Tnnk827vrl CSibuM9BdMDn11810ENIQP2MD6DA5x91PIcATbcovvv7fdE662c0ZU/90ELHVXcI xv3bya4bN6fB2mmLZW0v =+APB -----END PGP SIGNATURE----- --9iyR+p8Z2cn535Lj--