On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote: > Hi List, > > I am creating a PHP small program that will interact with MySQL and > will have the policies for the people in my office, i.e.: > Who can or can not access MSN messenger > Who can or can not access WWW > > etc. once this is stored, a shell script with the iptables rules > should be created, and then run. > > I do not want to run it with Apache, so I was thinking on creating a > CRON job that will run it as root once every n minutes, but the issue > i see here, is that if somebody "break" my Apache security he will be > able to create any script he likes and my CRON will run it, killing my > server security. > > any better ideas about how can I achieve my goal? I don't see how you could possibly create a publicly available interface to change something as fundamental as your firewall and have it _not_ be a security risk. maybe you could create a user that only has permissions to run one script and that one script is only allowed to change your firewall rules in specific ways, but even so I think you're asking for trouble. and take that all with appropriate salt as I am no security expert, it just seems kind of obvious to me... A
Attachment:
signature.asc
Description: Digital signature