Hello Roland, hello all,
I would like to share my hack to lamdaemon.inc, which circumvents the whole
SSH-connection&superuser problem by simply running the lamdaemon command
through apache. As apache runs as the "wwwrun" user, I additionally allowed
wwwrun to run lamdaemon using sudo.
NOTE: this is for LAM 3.2.0!
--- lamdaemon.inc 2010-12-30 14:15:07.000000000 +0100
+++ lamdaemon.inc.orig 2010-10-28 21:02:43.000000000 +0200
@@ -40,10 +40,6 @@
*
*/
function lamdaemon($command, $server) {
- // Run lamdaemon locally without SSH through
- // Apache as user "wwwrun:www"
- return lamdaemonLocal($command, $server);
-
// remove the following line to restore SSH via PHP SSH2
return lamdaemonSeclib($command, $server);
if (!function_exists('ssh2_connect')) {
@@ -151,11 +147,4 @@
}
}
-function lamdaemonLocal($command, $server) {
- $output = exec("sudo " . $_SESSION['config']->get_scriptPath() . ' ' .
escapeshellarg($command));
- $return = array($output);
- return $return;
-}
-
-
?>
Now I added the lamdaemon.pl to /etc/sudoers:
-------
# wwwrun may run lamdaemon.pl
wwwrun pollux=NOPASSWD:/srv/www/htdocs/lam/lib/lamdaemon.pl
-------
where pollux is my servers hostname.
I don't know why this is not part of LAM itself, as it is the most natural way
to run a command on the local server. It could also be easily configured to
use a spezific username (as an ooption to the sudo command).
Best regards,
Joschi
On Thursday 07 April 2011 11:01:42 Leopold Palomo-Avellaneda wrote:
> A Dimecres, 6 d'abril de 2011, Roland Gruber va escriure:
> > Hi Leo,
> >
> > Am 06.04.2011 17:57, schrieb Leopold Palomo-Avellaneda:
> > >> LAM will always use the user that logged into LAM for lamdaemon.
> > >
> > > wishlist:
> > >
> > > add an option to configure this
> >
> > the main problem is the password.
> > Maybe it would be an option to use public keys.
>
> well, I haver done two installations of lam. In the first one I configured
> it as you mentioned, and the LAM admin was a superuser on the ldap. Then I
> have to create a public key to make an ssh without password to execute the
> lamdaemon. So, I have no idea how to do it in a different way.
>
> > >> If you
> > >> use an LDAP account like cn=manager/admin that has no Unix part please
> > >> use an Unix user and update your LDAP ACLs to give him the same rights
> > >> as manager/admin.
> > >
> > > how? please could you advice me how to do it more or less?
> >
> > For OpenLDAP this is done in slapd.conf. Please see the documentation of
> > your LDAP server for details.
>
> ok, I know it, but for example in Debian squeeze the OpenLdap is the 2.4.3
> and the conf files are very different, so no slapd.conf file.
>
> Regards,
>
> Leo
>
> > --
> >
> > Best regards
> >
> > Roland Gruber
> >
> >
> > LDAP Account Manager
> > http://www.ldap-account-manager.org/
> >
> > Want more? Get LDAP Account Manager Pro!
> > http://www.ldap-account-manager.org/lamcms/lamPro
>
> ---------------------------------------------------------------------------
> ---
>
> > Xperia(TM) PLAY
> > It's a major breakthrough. An authentic gaming
> > smartphone on the nation's most reliable network.
> > And it wants your games.
> > http://p.sf.net/sfu/verizon-sfdev
> > _______________________________________________
> > Lam-public mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/lam-public
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
