Re: [Hampshire] Running a script that needs to do a rooty thing
On 26/11/10 21:04, Vic wrote: It would be daft to make www-data a sudoer and I'm not sure how I would do that anyway. Any ideas on how to achieve this, or alternatives? Factor out the couple of bits that need root privilege, and put them in their own scripts. Make those scripts executable only by the www-data user, and then make them setuid. Your main script can then run with reduced privilege, and call the setuid ones as necessary. You probably won't be able to do this, setuid scripts are usually blocked by the OS. It'd be difficult to write a setuid script securely as environment variables (e.g. PATH, LD_LIBRARY_PATH) could be used to make the script run all sorts of things the author didn't intend. apachectl itself is also a script, so might also be susceptible to attack. On 26/11/10 18:15, Victor Churchill wrote: It would be daft to make www-data a sudoer and I'm not sure how I would do that anyway. Any ideas on how to achieve this, or alternatives? I'd strongly recommend using sudo, it isn't daft. It's really easy to configure, it gives you auditing via syslog and should run the command in a secure environment out of the box. Add a line to the bottom of /etc/sudoers similar to: www-data ALL = (root) NOPASSWD: /usr/sbin/apachectl graceful The www-data user will be able to only run the single command with the exact set of arguments given. Then just run sudo apachectl graceful from your script. Cheers, -- Dominic Cleal domi...@computerkb.co.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
On 26/11/10 21:43, Dominic Cleal wrote: It'd be difficult to write a setuid script securely as environment variables (e.g. PATH, LD_LIBRARY_PATH) could be used to make the script run all sorts of things the author didn't intend. Small correction: apparently LD_* type variables are ignored on setuid binaries anyway, or you'd have the same issues... dangerous stuff anyway :-) -- Dominic Cleal domi...@computerkb.co.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
Thanks to all. Looks like a restricted sudo will be the way to go. I will give that a try, I'm pretty confident it should do what's required. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
Hi Victor, On Fri, Nov 26, 2010 at 06:15:22PM +, Victor Churchill wrote: I have been asked to make a Perl script that does some stuff with Apache's config (adds a virtual host) and then does an apache2ctl graceful to tell Apache to re-read its config files. I concur with Dominic's response. Just as an aside, and I realise you may have thought of this already.. I would recommend doing apache2ctl configtest after you've done your script has done its editing so you can tell that the config you've written does parse. If it doesn't then you could have your script back out its changes. Also what you're doing is configuration management so it might be worth looking at bcfg2, cfengine, puppet or similar to check you're not reinventing any wheels. Cheers, Andy -- I have just recently purchased a Feathercraft Big Kahuna kayak does it have a heater? Of course not. Everyone knows you can't have your kayak and heat it. -- James Fidell signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --