On 9/3/05, Michelle Konzack [EMAIL PROTECTED] wrote:
Hello *,
for an half hour I was at a new customer and they run apache 1.3 as
root on am IntranetServer because they need to admin there Fileserver
via php.
Now some problems:
1) They use exec(mcrypt ) to generate UNIX passwords for
/etc/shadow and I like to know, how I can create suitable md5
passwords for it from php.
I'm not totally sure on the format of the passwords in /etc/shadow,
but can you do anything with php's md5 function? If not, then perhaps
the mcrypt extension may do something for you.
2) I like to run apache as www-data and not as root. How I must
setup php/apache that I can do root-stuff because I need to run
exec(useradd -c $WA_COMMENT -d $WA_HOME_DIR \
-e $WA_EXPIRE_DATE -f $WA_INACTIVE_TIME \
-g $WA_INITIAL_GROUP -G $WA_GROUPS\
-m -k $WA_SKELETON_DIR -s $WA_SHELL \
-u $WA_UID -p $WA_PASS_MCRYPT $WA_LOGIN)
First of all you inform your client that they are insane. Running
apache as root is completely unnecessary.
to perform the above I'd use a combination of
suExec/suPHP/somethingLikeThat and sudo. I'd create a user called
webuserman (Web User Manager), or something like that, and have the
script run as webuserman. I'd change the useradd. to sudo
useradd., and mod the /etc/sudoers file to allow webuserman user
to call the useradd command as root(through sudo).
If you are a lazy bastard, with very little concern for security(which
it seems you're not), you could simply run the script as www-data, and
have sudo allow www-data to do an adduser. I would oppose this
however, in that any php script would be able to use it.
Also make sure you escape your shell arguments.
Thanks and nice wekend
Michelle
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
