From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 22:32:03 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5AD81065677 for ; Mon, 22 Sep 2008 22:32:03 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 869268FC08 for ; Mon, 22 Sep 2008 22:32:03 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id EF25BAFBC01; Mon, 22 Sep 2008 14:32:01 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Tue, 23 Sep 2008 00:32:00 +0200 User-Agent: KMail/1.9.7 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809230032.00517.fbsd.questions@rachie.is-a-geek.net> Cc: Matias Surdi Subject: Re: Run script as root from WebServer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 22:32:03 -0000 On Monday 22 September 2008 22:51:26 Matias Surdi wrote: > The problem is that some of these scripts deal with configuration files > and some other tasks that require root privileges. There's 2 alternatives I have used: 1) If the configuration files allow 'includes', then include a file that is writeable by the webuser. This will additionally allow you to restrict what the webserver can change in the config of this application. Note, that configuration files that are modifyable by root only, often are for a reason, so this does not improve the security of the service being configured, but it takes a fork() and sudo out of the mix. 2) If the changes do not need to be immediate, then you can put it in a queue directory and run a script through root's cron that picks up the queue and runs the commands there in. You then have the opportunity to remove scripts before they are run or even build in authorization. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.