Ryan wrote: > I would like to create some web pages/scripts (probably using PHP since I > use it for a lot of other things) to assist me in administering my linux > machine. What are some ways that I can execute certain administrative > commands (such as ifconfig,iwconfig,route,scripts in my /etc/init.d/ > directory, etc...) as root? > I'm fairly familiar with the different access-control methods available to > me to restrict access to these pages. I will definitely be using SSL with > a self-signed certificate. I'm just not sure how to get my web server > (which doesn't run as root and I want to keep it that way) to execute > these commands with superuser privileges.
If you're absolutely determined to provide root access via a web server, it would be a good idea to run a completely separate httpd process for this purpose, rather than adding the functionality to a "public" web server. The secure server should only accept SSL (https) connections, and should not include any functionality (e.g. modules) which aren't essential for the intended purpose. It should have completely separate ServerRoot and DocumentRoot directories from the normal server. Any additional restrictions which can reasonably be imposed (e.g. source IP address) should be. As to the specific question of how to perform operations which require root privilege from a server that isn't running as root, you basically have two options. 1. Forward the requests to another process which is running as root. 2. The Unix Set-UID mechanism. In this situation, I suspect that option 2 would be preferable, as there is more scope for a process to perform validation checks upon its parent process than upon the other end of a communcation channel. Specifically, look into the SuEXEC module; this is intended for a very similar purpose (allowing CGIs to run with a UID which differs from that of the web server). However, one of its security features is that it refuses to run as root, so you would have to remove this check if you wish to use it for this purpose. -- Glynn Clements <[EMAIL PROTECTED]>
