Re: [PHP] Page that checks if a user exists on a remote system
I am looking to do like Hotmail, or Yahoo!, or Mail.com, or any of the other places do. I can go sign up on their site and immediately have an e-mail account that I can start using. No admin has to take the time to create my account for me. You do understand that these hosts have MAJOR PROBLEMS and invest inordinate amounts of resources to users who abuse their services. You're going to be spending a HUGE amount of money/time if you have something as wide-open as those. Their whole schtick is Free Email so it's worth it to them to invest in an army of people to handle the problems. Is it worth it to you? HIGHLY unlikely. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Richard, Very good point, and you are correct, I am not looking to hire an army and spend tons of time and money on it. I have since rethought this, thanks in part to this thread. I have decided to go with something more secure. Since I have a database of users already for the site on ServerA, I will just set up a cron job on ServerB that runs a script that queries that database and then adds, edits, removes users accordingly. That way the access of the shell is being done always by a trusted system only user. I will put an extra table in my database called something like user_email_account_management_requests and the remote script with check that for any tasks it needs to do. Thanks again to all those who helped me with this. I have learned quite a bit and enjoyed it. Best regards, -- Jonathan Duncan http://www.nacnud.com On Mon, 6 Dec 2004, Richard Lynch wrote: I am looking to do like Hotmail, or Yahoo!, or Mail.com, or any of the other places do. I can go sign up on their site and immediately have an e-mail account that I can start using. No admin has to take the time to create my account for me. You do understand that these hosts have MAJOR PROBLEMS and invest inordinate amounts of resources to users who abuse their services. You're going to be spending a HUGE amount of money/time if you have something as wide-open as those. Their whole schtick is Free Email so it's worth it to them to invest in an army of people to handle the problems. Is it worth it to you? HIGHLY unlikely. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Ok, so this is what I have done: *-*-*-*-*-*-*-*-*-*-* $idResults = `sudo -u admin ssh [EMAIL PROTECTED] id usertocheck 21`; echo id: (.$idResults.)\r\n.\r\n; if (ereg(no such user, $idResults)) { echo 'id blah!'; } *-*-*-*-*-*-*-*-*-*-* And, here are the results that I get when I access the above code with my browser: *-*-*-*-*-*-*-*-*-*-* id: (id: alain: no such user ) id blah! *-*-*-*-*-*-*-*-*-*-* I have added the webserver user to sudoers which gives that user only the ability to sudo to the admin user and run the ssh command which then allows the webserver user to ssh to the remote machine without a password since I setup secure keys for that user. So what I wanted to do is now working. My question now would be, are there any security concerns with how I am doing this? Aside from doing an id check I will also be doing a remote command to add a user to the remote system (ServerB) from the same PHP script. I will of course escapeshellarg any information my users submit to the script. Thanks, Jonathan Richard Lynch [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Gryffyn, Trevor wrote: If it's a un*x system and you have permissions to connect to the SMTP server, you could use the VRFY command to check to see if their email address exists or not maybe: Example of Verifying a User Name Either S: VRFY Smith R: 250 Fred Smith [EMAIL PROTECTED] Or S: VRFY Smith R: 251 User not local; will forward to [EMAIL PROTECTED] Or S: VRFY Jones R: 550 String does not match anything. Or S: VRFY Jones R: 551 User not local; please try [EMAIL PROTECTED] Or S: VRFY Gourzenkyinplatz R: 553 User ambiguous. (examples taken from: http://www.ietf.org/rfc/rfc0821.txt Page 8) I believe that, for performance and security reasons, many/most SMTP servers these days will out and out *LIE* to you about this... The real answer is: There is *NO* *WAY* to do this on a general basis, unless you control the remote machine, or know enough about its setup, to be certain that it will respond correctly. ServerA and ServerB Ah. The original poster probably has control of ServerB. Life is now simplified immensely. This, of course, is because the script is being run as www who has no place to put ssl keys. Could this be solved by having www su to a user who has remote access privileges? Something like this: $idResults = `su admin | ssh [EMAIL PROTECTED] id bigbob 21`; su simply won't let you do that. su requires a TTY to avoid you doing something so incredibly dangerous as this. So, no, that won't work. And you shouldn't be trying to do that anyway. Anyone else doing or done something like this? Sure. I've never done it, but many many many have. One fairly simple thing is to create the 'www' user on ServerA so that they *do* have a home directory where they can store SSH keys. You may need to su to 'www' once, and do some ssh work -- ssh-key-gen or whatever it is. That, however, increases your risk in the event that the www user is compromised on ServerA. Probably the best answer is to attack this from the side of ServerB. You want ServerB to: Only allow ServerA to even ask. Tell ServerA if user X is a valid username. From the point of ServerB, making sure that ServerA is the one asking is fairly simple. You could check the IP (which can be spoofed, but that's fairly difficult) or provide some other means of authentication (SSH/SSL) that ensures that ServerA is really ServerA. Then, ServerB can just check /etc/passwd usernames. Or be even simpler to use a shell command like 'user' (?) or 'groups' to verify that a user is valid. In other words, instead of writing some hacky code on ServerA to try to poke at ServerB to get the answer you want, write some nice clean code on ServerB to provide the answer, WHEN APPROPRIATE. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Jonathan Duncan wrote: I will also be doing a remote command to add a user to the remote system (ServerB) from the same PHP script. If you want to manage a server via web interface, dont reinvent the wheel. Use webmin, by example. Webmin runs a mini webserver as root (on port 1), and uses modules for managing users, proftp, apache, etc Of course, I dont know what you want to do. Christophe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Christophe, I see where you are coming from with that, but the purpose of this script is to remove me from the picture completely. I want someone to be able to come sign up on my site and automatically be added as a mail user and other things so that I do not need to do that kind of thing. I am looking to do like Hotmail, or Yahoo!, or Mail.com, or any of the other places do. I can go sign up on their site and immediately have an e-mail account that I can start using. No admin has to take the time to create my account for me. Does that make sense? Does that explain better why I am trying to do this? Has not anyone else wanted that functionality also? Thank you, Jonathan Duncan On Fri, 3 Dec 2004, Christophe Chisogne wrote: Jonathan Duncan wrote: I will also be doing a remote command to add a user to the remote system (ServerB) from the same PHP script. If you want to manage a server via web interface, dont reinvent the wheel. Use webmin, by example. Webmin runs a mini webserver as root (on port 1), and uses modules for managing users, proftp, apache, etc Of course, I dont know what you want to do. Christophe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Page that checks if a user exists on a remote system
Hi! Have you thougt of writing the userdata to a database and running a perl script by cron to do the rest? This would be an interesting opinion for security purpose. Stefan -Ursprüngliche Nachricht- Von: Jonathan Duncan [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 3. Dezember 2004 18:55 An: [EMAIL PROTECTED] Betreff: Re: [PHP] Page that checks if a user exists on a remote system Christophe, I see where you are coming from with that, but the purpose of this script is to remove me from the picture completely. I want someone to be able to come sign up on my site and automatically be added as a mail user and other things so that I do not need to do that kind of thing. I am looking to do like Hotmail, or Yahoo!, or Mail.com, or any of the other places do. I can go sign up on their site and immediately have an e-mail account that I can start using. No admin has to take the time to create my account for me. Does that make sense? Does that explain better why I am trying to do this? Has not anyone else wanted that functionality also? Thank you, Jonathan Duncan On Fri, 3 Dec 2004, Christophe Chisogne wrote: Jonathan Duncan wrote: I will also be doing a remote command to add a user to the remote system (ServerB) from the same PHP script. If you want to manage a server via web interface, dont reinvent the wheel. Use webmin, by example. Webmin runs a mini webserver as root (on port 1), and uses modules for managing users, proftp, apache, etc Of course, I dont know what you want to do. Christophe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Jonathan Duncan wrote: Ok, so this is what I have done: *-*-*-*-*-*-*-*-*-*-* $idResults = `sudo -u admin ssh [EMAIL PROTECTED] id usertocheck 21`; echo id: (.$idResults.)\r\n.\r\n; if (ereg(no such user, $idResults)) { echo 'id blah!'; } *-*-*-*-*-*-*-*-*-*-* So what I wanted to do is now working. My question now would be, are there any security concerns with how I am doing this? That's kind of a bad question :-) To some degree, the very fact that you *ARE* doing this -- allowing one machine to know for certain what is or isn't a valid username on another -- is a security risk. But, assuming you really understand that, and consider that an acceptable risk... Certainly using sudo to admin is better than some options. But what else can 'admin' do? Assuming 'admin' can do all sorts of nasty things, it would be even better to create a new user, say, 'serverBchecker' -- and the *ONLY* purpose in life for this user is to be able to check usernames on serverB. They should have read/write access to *NOTHING* *ELSE* on your entire machine, A, or B, unless it's absolutely necessary to perform the tasks required. The next question issue isn't about how this script does what it does: It's about who can access this script, and how, and when, and under what circumstances. What you really want to avoid, is anybody on the planet being able to pound away at this script, trying every username they can think of, to build up a list of valid usernames on serverB. If you can restrict access to this script, in any way, to any degree, you are reducing your risk. Can it be behind an SSL connection, with only trusted users logging in through a known safe authentication system? Can you do just the login? Just the SSL? Can you at least build the system so that if somebody tries to check more than N usernames in time period T, they are locked out? We don't really know what you are doing, or why you need this, but you're on thin ice, so put on your criminal hat, and figure out what the bad guys are likely to try, and then make it harder for them to try that. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Page that checks if a user exists on a remote system
This is in reply to both Stefan and Richard, I gave it some brief thought in the past, but brushed it off as not as convenient. However, rethinking about it, it may actually be more secure. H, darn it, now you have me thinking again. Security is a big concern for me. As it is now, the web user has the ability to sudo. But that user can only sudo to one other user, who is limited, and can only run 2 commands as that user. Sooo... while the web user is certainly limited, and the PHP script will be outside of the document root of the web server, and access to that script will be through an include on an SSL connection, there could still be something that I am not thinking of. Adding the people to a database first and having a script run by cron (or some other trigger) running on ServerB that accesses the database that is on ServerA would be a nice firewall and the web user would not need any access rights or the need to sudo. Ok, I am going to break this down and rethink my strategy. Thanks to everyone. Richard, I consider myself a highly security conscious person, but you are making me think more like a criminal, and that is good. Security is very important. I will post back with my results. Thanks, -- Jonathan Duncan http://www.nacnud.com On Fri, 3 Dec 2004, Stefan wrote: Hi! Have you thougt of writing the userdata to a database and running a perl script by cron to do the rest? This would be an interesting opinion for security purpose. Stefan -Ursprüngliche Nachricht- Von: Jonathan Duncan [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 3. Dezember 2004 18:55 An: [EMAIL PROTECTED] Betreff: Re: [PHP] Page that checks if a user exists on a remote system Christophe, I see where you are coming from with that, but the purpose of this script is to remove me from the picture completely. I want someone to be able to come sign up on my site and automatically be added as a mail user and other things so that I do not need to do that kind of thing. I am looking to do like Hotmail, or Yahoo!, or Mail.com, or any of the other places do. I can go sign up on their site and immediately have an e-mail account that I can start using. No admin has to take the time to create my account for me. Does that make sense? Does that explain better why I am trying to do this? Has not anyone else wanted that functionality also? Thank you, Jonathan Duncan On Fri, 3 Dec 2004, Christophe Chisogne wrote: Jonathan Duncan wrote: I will also be doing a remote command to add a user to the remote system (ServerB) from the same PHP script. If you want to manage a server via web interface, dont reinvent the wheel. Use webmin, by example. Webmin runs a mini webserver as root (on port 1), and uses modules for managing users, proftp, apache, etc Of course, I dont know what you want to do. Christophe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
On Saturday 04 December 2004 02:47, Jonathan Duncan wrote: [snip] rethink my strategy. Thanks to everyone. Richard, I consider myself a highly security conscious person, but you are making me think more like a criminal, and that is good. Security is very important. In that case may I suggest that you use an MTA which does not require system accounts for each and every mail box? -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Take that, you hostile sons-of-bitches! -- James Coburn, in the finale of _The_President's_Analyst_ */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Jason, Such as? I assume you have something in mind. That would certainly be nice. I am not against considering it. Although I am somewhat tied to sendmail as that is what my hosting provider supports and also what I am familiar with. Jonathan Jason Wong [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Saturday 04 December 2004 02:47, Jonathan Duncan wrote: [snip] rethink my strategy. Thanks to everyone. Richard, I consider myself a highly security conscious person, but you are making me think more like a criminal, and that is good. Security is very important. In that case may I suggest that you use an MTA which does not require system accounts for each and every mail box? -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Take that, you hostile sons-of-bitches! -- James Coburn, in the finale of _The_President's_Analyst_ */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
On Saturday 04 December 2004 05:33, Jonathan Duncan wrote: Such as? I assume you have something in mind. That would certainly be nice. I am not against considering it. Although I am somewhat tied to sendmail as that is what my hosting provider supports and also what I am familiar with. qmail, Postfix, Courier, all allow (mail) users to be created independent of the system. The user info can be stored in different ways - file, ldap, database - the latter two being ideal for what you're trying to do. Any of the three mentioned above should be more secure and easier to administer than Sendmail. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* BOFH Excuse #101: Collapsed Backbone */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Page that checks if a user exists on a remote system
Gryffyn, Trevor wrote: If it's a un*x system and you have permissions to connect to the SMTP server, you could use the VRFY command to check to see if their email address exists or not maybe: Example of Verifying a User Name Either S: VRFY Smith R: 250 Fred Smith [EMAIL PROTECTED] Or S: VRFY Smith R: 251 User not local; will forward to [EMAIL PROTECTED] Or S: VRFY Jones R: 550 String does not match anything. Or S: VRFY Jones R: 551 User not local; please try [EMAIL PROTECTED] Or S: VRFY Gourzenkyinplatz R: 553 User ambiguous. (examples taken from: http://www.ietf.org/rfc/rfc0821.txt Page 8) I believe that, for performance and security reasons, many/most SMTP servers these days will out and out *LIE* to you about this... The real answer is: There is *NO* *WAY* to do this on a general basis, unless you control the remote machine, or know enough about its setup, to be certain that it will respond correctly. ServerA and ServerB Ah. The original poster probably has control of ServerB. Life is now simplified immensely. This, of course, is because the script is being run as www who has no place to put ssl keys. Could this be solved by having www su to a user who has remote access privileges? Something like this: $idResults = `su admin | ssh [EMAIL PROTECTED] id bigbob 21`; su simply won't let you do that. su requires a TTY to avoid you doing something so incredibly dangerous as this. So, no, that won't work. And you shouldn't be trying to do that anyway. Anyone else doing or done something like this? Sure. I've never done it, but many many many have. One fairly simple thing is to create the 'www' user on ServerA so that they *do* have a home directory where they can store SSH keys. You may need to su to 'www' once, and do some ssh work -- ssh-key-gen or whatever it is. That, however, increases your risk in the event that the www user is compromised on ServerA. Probably the best answer is to attack this from the side of ServerB. You want ServerB to: Only allow ServerA to even ask. Tell ServerA if user X is a valid username. From the point of ServerB, making sure that ServerA is the one asking is fairly simple. You could check the IP (which can be spoofed, but that's fairly difficult) or provide some other means of authentication (SSH/SSL) that ensures that ServerA is really ServerA. Then, ServerB can just check /etc/passwd usernames. Or be even simpler to use a shell command like 'user' (?) or 'groups' to verify that a user is valid. In other words, instead of writing some hacky code on ServerA to try to poke at ServerB to get the answer you want, write some nice clean code on ServerB to provide the answer, WHEN APPROPRIATE. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
On Thursday 02 December 2004 23:32, Gryffyn, Trevor wrote: If it's a un*x system and you have permissions to connect to the SMTP server, you could use the VRFY command to check to see if their email address exists or not maybe: Just want to point out that this behaviour is dependent on the flavour of the SMTP server so YMMV. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* ...and scantily clad females, of course. Who cares if it's below zero outside. -- Linus Torvalds */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Page that checks if a user exists on a remote system
Well, I can honestly say I had not thought of doing it that way. I will keep that as an option. Thanks. Jonathan On Thu, 2 Dec 2004, Gryffyn, Trevor wrote: If it's a un*x system and you have permissions to connect to the SMTP server, you could use the VRFY command to check to see if their email address exists or not maybe: Example of Verifying a User Name Either S: VRFY Smith R: 250 Fred Smith [EMAIL PROTECTED] Or S: VRFY Smith R: 251 User not local; will forward to [EMAIL PROTECTED] Or S: VRFY Jones R: 550 String does not match anything. Or S: VRFY Jones R: 551 User not local; please try [EMAIL PROTECTED] Or S: VRFY Gourzenkyinplatz R: 553 User ambiguous. (examples taken from: http://www.ietf.org/rfc/rfc0821.txt Page 8) Just a thought. -TG -Original Message- From: news.php.net [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:57 PM To: [EMAIL PROTECTED] Subject: [PHP] Page that checks if a user exists on a remote system I have two servers: ServerA and ServerB. One server serves web pages, the other serves mail. I am making a web page on ServerA that will access ServerB to find out if a users exists and if not then add that user to ServerB with information collected from the web page on ServerA. I have this in a php file: $idResults = `ssh [EMAIL PROTECTED] id bigbob 21`; echo id: (.$idResults.)\r\n.\r\n; if (ereg(no such user, $idResults)) { echo 'username is available!'; } When I access the page I get: Could not create directory '/nonexistent/.ssh'. Host key verification failed. This, of course, is because the script is being run as www who has no place to put ssl keys. Could this be solved by having www su to a user who has remote access privileges? Something like this: $idResults = `su admin | ssh [EMAIL PROTECTED] id bigbob 21`; echo id: (.$idResults.)\r\n.\r\n; if (ereg(no such user, $idResults)) { echo 'username is available!'; // function addUserToServerB(vars); } Anyone else doing or done something like this? Thanks, -- Jonathan Duncan http://www.nacnud.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Page that checks if a user exists on a remote system
If it's a un*x system and you have permissions to connect to the SMTP server, you could use the VRFY command to check to see if their email address exists or not maybe: Example of Verifying a User Name Either S: VRFY Smith R: 250 Fred Smith [EMAIL PROTECTED] Or S: VRFY Smith R: 251 User not local; will forward to [EMAIL PROTECTED] Or S: VRFY Jones R: 550 String does not match anything. Or S: VRFY Jones R: 551 User not local; please try [EMAIL PROTECTED] Or S: VRFY Gourzenkyinplatz R: 553 User ambiguous. (examples taken from: http://www.ietf.org/rfc/rfc0821.txt Page 8) Just a thought. -TG -Original Message- From: news.php.net [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:57 PM To: [EMAIL PROTECTED] Subject: [PHP] Page that checks if a user exists on a remote system I have two servers: ServerA and ServerB. One server serves web pages, the other serves mail. I am making a web page on ServerA that will access ServerB to find out if a users exists and if not then add that user to ServerB with information collected from the web page on ServerA. I have this in a php file: $idResults = `ssh [EMAIL PROTECTED] id bigbob 21`; echo id: (.$idResults.)\r\n.\r\n; if (ereg(no such user, $idResults)) { echo 'username is available!'; } When I access the page I get: Could not create directory '/nonexistent/.ssh'. Host key verification failed. This, of course, is because the script is being run as www who has no place to put ssl keys. Could this be solved by having www su to a user who has remote access privileges? Something like this: $idResults = `su admin | ssh [EMAIL PROTECTED] id bigbob 21`; echo id: (.$idResults.)\r\n.\r\n; if (ereg(no such user, $idResults)) { echo 'username is available!'; // function addUserToServerB(vars); } Anyone else doing or done something like this? Thanks, -- Jonathan Duncan http://www.nacnud.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Page that checks if a user exists on a remote system
Yeah, this is definitely a maybe solution and depends on a few things being right. But if the alteratives are using su ANYTHING commands and if just asking the SMTP server produces accurate results, then it seemed like it was worth mentioning. But the few people who have pointed out that this can possibly be flawed, you are perfectly correct. -TG -Original Message- From: Jason Wong [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] Page that checks if a user exists on a remote system On Thursday 02 December 2004 23:32, Gryffyn, Trevor wrote: If it's a un*x system and you have permissions to connect to the SMTP server, you could use the VRFY command to check to see if their email address exists or not maybe: Just want to point out that this behaviour is dependent on the flavour of the SMTP server so YMMV. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* ...and scantily clad females, of course. Who cares if it's below zero outside. -- Linus Torvalds */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
On Wed, 1 Dec 2004 17:57:28 -0700, news.php.net [EMAIL PROTECTED] wrote: Anyone else doing or done something like this? I use sudo when my web server needs temporary elevated permissions. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Perhaps this gets more into server administration, but it is mixed so much into the php script, which is why I am asking it here. Yes, sudo was one of my first thoughts. As far as the implementation goes though. How do you work the remote access bit? Using ssh do you use the ssl cert switch so that the www user can shell into a remote machine? Or does the sudo process actually make www the root user for a certain command and can then shell into a remote machine using the root ssl cert? Or can sudo make www into a user that can shell into a remote machine? I am still becoming familiar with sudo. Thanks, Jonathan Greg Donald [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wed, 1 Dec 2004 17:57:28 -0700, news.php.net [EMAIL PROTECTED] wrote: Anyone else doing or done something like this? I use sudo when my web server needs temporary elevated permissions. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
I have put this in my sudoers file using visudo to edit it: www ALL = NOPASSWD: /usr/local/bin/sudo puser, (puser) NOPASSWD: /usr/bin/ssh /usr/bin/id However the www user is still being asked for a password. Is this too off topic for this list? Jonathan Jonathan Duncan [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Perhaps this gets more into server administration, but it is mixed so much into the php script, which is why I am asking it here. Yes, sudo was one of my first thoughts. As far as the implementation goes though. How do you work the remote access bit? Using ssh do you use the ssl cert switch so that the www user can shell into a remote machine? Or does the sudo process actually make www the root user for a certain command and can then shell into a remote machine using the root ssl cert? Or can sudo make www into a user that can shell into a remote machine? I am still becoming familiar with sudo. Thanks, Jonathan Greg Donald [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wed, 1 Dec 2004 17:57:28 -0700, news.php.net [EMAIL PROTECTED] wrote: Anyone else doing or done something like this? I use sudo when my web server needs temporary elevated permissions. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page that checks if a user exists on a remote system
Looks like I was missing a comma after the ssh command and before the id command. Jonathan Jonathan Duncan [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have put this in my sudoers file using visudo to edit it: www ALL = NOPASSWD: /usr/local/bin/sudo puser, (puser) NOPASSWD: /usr/bin/ssh /usr/bin/id However the www user is still being asked for a password. Is this too off topic for this list? Jonathan Jonathan Duncan [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Perhaps this gets more into server administration, but it is mixed so much into the php script, which is why I am asking it here. Yes, sudo was one of my first thoughts. As far as the implementation goes though. How do you work the remote access bit? Using ssh do you use the ssl cert switch so that the www user can shell into a remote machine? Or does the sudo process actually make www the root user for a certain command and can then shell into a remote machine using the root ssl cert? Or can sudo make www into a user that can shell into a remote machine? I am still becoming familiar with sudo. Thanks, Jonathan Greg Donald [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wed, 1 Dec 2004 17:57:28 -0700, news.php.net [EMAIL PROTECTED] wrote: Anyone else doing or done something like this? I use sudo when my web server needs temporary elevated permissions. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php