On Tue, Sep 23, 2008, Mel wrote: >On Monday 22 September 2008 22:51:26 Matias Surdi wrote: > >> The problem is that some of these scripts deal with configuration files >> and some other tasks that require root privileges. > >There's 2 alternatives I have used: >1) If the configuration files allow 'includes', then include a file that is >writeable by the webuser. This will additionally allow you to restrict what >the webserver can change in the config of this application. Note, that >configuration files that are modifyable by root only, often are for a reason, >so this does not improve the security of the service being configured, but it >takes a fork() and sudo out of the mix. > >2) If the changes do not need to be immediate, then you can put it in a queue >directory and run a script through root's cron that picks up the queue and >runs the commands there in. You then have the opportunity to remove scripts >before they are run or even build in authorization.
Another option that we use is to have an XML-RPC server running as root on localhost, accessible from the web server. This server is written using the standard python SimpleXMLRPCServer, and handles a limited number of procedures. Some of these procedures, such as running ``make'' in the etc/postfix directory, do not have serious authentication. Others have stronger methods of authentication and restrictions. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 It would be a great improvement if the government respected individuals rights as much as they respect the rights of the caribous. _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"