On 26/11/10 21:04, Vic wrote: >> It would be daft to make www-data a sudoer and I'm not sure how I would do >> that anyway. Any ideas on how to achieve this, or alternatives? > > Factor out the couple of bits that need root privilege, and put them in > their own scripts. Make those scripts executable only by the www-data > user, and then make them setuid. > > Your main script can then run with reduced privilege, and call the setuid > ones as necessary.
You probably won't be able to do this, setuid scripts are usually blocked by the OS. It'd be difficult to write a setuid script securely as environment variables (e.g. PATH, LD_LIBRARY_PATH) could be used to make the script run all sorts of things the author didn't intend. apachectl itself is also a script, so might also be susceptible to attack. On 26/11/10 18:15, Victor Churchill wrote: > It would be daft to make www-data a sudoer and I'm not sure how I > would do that anyway. Any ideas on how to achieve this, or > alternatives? I'd strongly recommend using sudo, it isn't daft. It's really easy to configure, it gives you auditing via syslog and should run the command in a secure environment out of the box. Add a line to the bottom of /etc/sudoers similar to: www-data ALL = (root) NOPASSWD: /usr/sbin/apachectl graceful The www-data user will be able to only run the single command with the exact set of arguments given. Then just run "sudo apachectl graceful" from your script. Cheers, -- Dominic Cleal domi...@computerkb.co.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
