On Tue, Sep 23, 2008, Mel wrote:
>On Monday 22 September 2008 22:51:26 Matias Surdi wrote:
>
>> The problem is that some of these scripts deal with configuration files
>> and some other tasks that require root privileges.
>
>There's 2 alternatives I have used:
>1) If the configuration files allow 'includes', then include a file that is 
>writeable by the webuser. This will additionally allow you to restrict what 
>the webserver can change in the config of this application. Note, that 
>configuration files that are modifyable by root only, often are for a reason, 
>so this does not improve the security of the service being configured, but it 
>takes a fork() and sudo out of the mix.
>
>2) If the changes do not need to be immediate, then you can put it in a queue 
>directory and run a script through root's cron that picks up the queue and 
>runs the commands there in. You then have the opportunity to remove scripts 
>before they are run or even build in authorization.

Another option that we use is to have an XML-RPC server running
as root on localhost, accessible from the web server.  This
server is written using the standard python SimpleXMLRPCServer,
and handles a limited number of procedures.  Some of these
procedures, such as running ``make'' in the etc/postfix directory,
do not have serious authentication.  Others have stronger methods
of authentication and restrictions.

Bill
-- 
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

It would be a great improvement if the government respected individuals
rights as much as they respect the rights of the caribous.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to