Matias Surdi wrote: > I'm using mod_python3 and apache22 to create some scripts and access them > through a web interface. > > The problem is that some of these scripts deal with configuration files and > some other tasks that require root privileges. > > In the past, I've solved this issue by using sudo and allowing just the > commands I want to allow in the sudoers file to the apache user.But I'm > wondering if this is the better way to do what I want to do. > > What would you do in such a situation?
I think sudo is pretty much _the_ way to accomplish this. Not that it would be your only option per se, but I think it's definitely your best option. We maintain a number of scripts that serve very restricted purposes for the use of our web user with sudo. www WIFIROUTERS = (root) NOPASSWD: WIRELESS This allows the www user to run the wireless connection setup/teardown scripts as root without typing a password on wireless routers. We use this to allow a transparent proxy web-app to move the user to the "authenticated" firewall context. Our sudoers file (shared across roughly 100 machines) is littered with other examples ranging from allowing users to sa-learn in mailman to nagios monitoring and remote sync jobs for DNS/DHCP. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley
Description: PGP signature