Re: help with web security

To: Shao Zhang <shao@cia.com.au>
Cc: Debian Mailing List <debian-user@lists.debian.org>
Subject: Re: help with web security
From: Alvin Oga <aoga@Mail.Linux-Consulting.com>
Date: Wed, 7 Jun 2000 14:12:35 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1000607140716.26537A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20000607193453.A23986@localhost>

hi shao

from the autoated cgi scripts...
you can easily add new users to .htpasswd files to
allow them to access web stuff...

allowing users to add themself to your "main system"
and update dns, qmail and other stuff is giving the
hacker (indirectly) complete control of your machine...

- dont do it.....spend the time to find another way
  to admin your box....should be no more than 1-2hr per week
  for a typical server ... after it is built properly...
  
c ya
alvin

On Wed, 7 Jun 2000, Shao Zhang wrote:

> Hi,
> 	I am setting up an automated registration system where the cgi
> 	scripts need to do the following:
> 
> 	1. add a new user to the system and write to passwd files
> 	2. update dns, restart named
> 	3. update httpd.conf, restart httpd
> 	4. update qmail conf, restart qmail-{..}
> 	5. many more...
> 
> 	Now, to do all of this, surely I need root access. However,
> 	there is no way I can configure apache to run as root, and
> 	suEXEC won't help me much because it affectively runs that
> 	virtual webserver as root.
> 
> 	So how do I achieve this while still enforce good security?
> 
> 	One idea that I have is, let apache(cgi scripts) to write to a
> 	file with all the necessary information, and then have crontab
> 	to run the program as root to read this info and do all the update...
> 
> 	Thanks for any help in advance.
>

Reply to:

References:
- help with web security
  - From: Shao Zhang <shao@cia.com.au>

Prev by Date: Re: Booting from floppy
Next by Date: NFS & Potato -- client crashes server.
Previous by thread: help with web security
Next by thread: rsync & root-rsh
Index(es):
- Date
- Thread