From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 22:39:33 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 085C41065670 for ; Mon, 22 Sep 2008 22:39:33 +0000 (UTC) (envelope-from bill@ayn.mi.celestial.com) Received: from ayn.mi.celestial.com (hayek.celestial.com [192.136.111.12]) by mx1.freebsd.org (Postfix) with ESMTP id D0FFC8FC13 for ; Mon, 22 Sep 2008 22:39:32 +0000 (UTC) (envelope-from bill@ayn.mi.celestial.com) Received: from localhost (localhost [127.0.0.1]) by ayn.mi.celestial.com (Postfix) with ESMTP id 5EE2868BA6800; Mon, 22 Sep 2008 15:39:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at mi.celestial.com Received: from ayn.mi.celestial.com ([127.0.0.1]) by localhost (ayn.mi.celestial.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 5ZACAO4c53gN; Mon, 22 Sep 2008 15:39:32 -0700 (PDT) Received: by ayn.mi.celestial.com (Postfix, from userid 203) id 40B65686147DE; Mon, 22 Sep 2008 15:39:32 -0700 (PDT) Date: Mon, 22 Sep 2008 15:39:32 -0700 From: Bill Campbell To: freebsd-questions@freebsd.org Message-ID: <20080922223932.GA23640@ayn.mi.celestial.com> Mail-Followup-To: freebsd-questions@freebsd.org References: <200809230032.00517.fbsd.questions@rachie.is-a-geek.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200809230032.00517.fbsd.questions@rachie.is-a-geek.net> User-Agent: Mutt/1.5.18 OpenPKG/% (2008-05-17) Subject: Re: Run script as root from WebServer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@celestial.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 22:39:33 -0000 On Tue, Sep 23, 2008, Mel wrote: >On Monday 22 September 2008 22:51:26 Matias Surdi wrote: > >> The problem is that some of these scripts deal with configuration files >> and some other tasks that require root privileges. > >There's 2 alternatives I have used: >1) If the configuration files allow 'includes', then include a file that is >writeable by the webuser. This will additionally allow you to restrict what >the webserver can change in the config of this application. Note, that >configuration files that are modifyable by root only, often are for a reason, >so this does not improve the security of the service being configured, but it >takes a fork() and sudo out of the mix. > >2) If the changes do not need to be immediate, then you can put it in a queue >directory and run a script through root's cron that picks up the queue and >runs the commands there in. You then have the opportunity to remove scripts >before they are run or even build in authorization. Another option that we use is to have an XML-RPC server running as root on localhost, accessible from the web server. This server is written using the standard python SimpleXMLRPCServer, and handles a limited number of procedures. Some of these procedures, such as running ``make'' in the etc/postfix directory, do not have serious authentication. Others have stronger methods of authentication and restrictions. Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 It would be a great improvement if the government respected individuals rights as much as they respect the rights of the caribous.