Matias Surdi wrote:
> I'm using mod_python3 and apache22 to create some scripts and access them 
> through a web interface.
> 
> The problem is that some of these scripts deal with configuration files and 
> some other tasks that require root privileges.
> 
> In the past, I've solved this issue by using sudo and allowing just the 
> commands I want to allow in the sudoers file to the apache user.But I'm 
> wondering if this is the better way to do what I want to do.
> 
> What would you do in such a situation?

I think sudo is pretty much _the_ way to accomplish this. Not that it
would be your only option per se, but I think it's definitely your best
option.

We maintain a number of scripts that serve very restricted purposes for
the use of our web user with sudo.

www     WIFIROUTERS = (root) NOPASSWD: WIRELESS

This allows the www user to run the wireless connection setup/teardown
scripts as root without typing a password on wireless routers. We use
this to allow a transparent proxy web-app to move the user to the
"authenticated" firewall context. Our sudoers file (shared across
roughly 100 machines) is littered with other examples ranging from
allowing users to sa-learn in mailman to nagios monitoring and remote
sync jobs for DNS/DHCP.

-- 
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley

Attachment: pgpzuUTwE1gr0.pgp
Description: PGP signature

Reply via email to