This is kind of my point. Webmin runs as root or at least executes commands as root. With Webmin you have access granted or denied by use of a login mechanism. I can use a login mechanism on apache to do the same granting or denial. So why wouldn't I be able to get apache to do the same? Is webmin's server more secure in some way than Apache. The problem I have with Webmin is that I write most of my code in php which is not supported by Webmin (or at least last I checked) and I'd rather use Apache. My ultimate goal is of making system changes to affect modifications to IPSEC from FreeS/WAN. This requires that I restart the network service, then turn ip forwarding back on afterwards, and then restart the ipsec service which all point to running apache as root. (or writing everything in perl and using Webmin)
Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kinz Sent: Friday, March 28, 2003 9:02 AM To: [EMAIL PROTECTED] Subject: Re: iptables access Hey Chris - Please don't "Top Post" > -----Original Message----- > Is anyone familiar with the possibility of running iptables commands as a > non-root user? I am trying to execute commands from a web page without > running apache as root or going through reconfiguration of apache to allow > it to su root. It seems it would be easier to be able to allow a user > access to iptables commands. > > Larry S. Brown On Fri, Mar 28, 2003 at 10:17:57AM +0100, christopher cuse wrote: > hi larry, > > it is hard to imagine for what reason you would want to have apache be able > to su to root -- this could/would spell disaster in a production environment > and should be discouraged. iptables access from a non-root user as well is > exceptionally dangerous -- one command could render the network inoperable. > > apache has very robust security, so you should attempt your project within > the confines of apache. > > curious what exactly you have in mind ... Yes, Larry - what do you want apache to do? there is probably a better way to accomplish it rather than having apache become root. :-) One option, if apache absolutely must become root is to use the "sudo" command and restrict apache to a single special purpose script that does only the exact and specific thing you need. If you are trying to use apache to administer a Linux box remotely I suggest looking at the "Webmin" package which allows you to do that and which you can add scripts to to extend the functionality. Webmin is extemely cool and useful even if only used as a local administration tool. > -- Jeff Kinz, Open-PC, Emergent Research, Hudson, MA. [EMAIL PROTECTED] copyright 2003. Use is restricted. Any use is an acceptance of the offer at http://www.kinz.org/policy.html. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
