Re: How to generate script with Apache and run it by root avoiding to "kill" security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> Hi List,
>
> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
>
> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
>
> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.
>
> any better ideas about how can I achieve my goal?
>
> thanks in advance.
>
> best regards.
>
Make a user specifically for this job that can access /sbin/iptables
through sudo, and make the script do just that, access iptables using
sudo and this new account.
Then make sure the bash script is owned by the new accounts, and root's
group, and chmod the script to r-xrwxr-- by doing:
chmod u+rx g+rwx o+r u-w o-wx /path/to/script
This *should* achieve what you are trying to do...It's a bit messy but
in the end it will pay off, the only way I can see this being abusable
is if someone gets access to your root account.
- --
http://digital-haze.net/~pobega/ - My Website
If programmers deserve to be rewarded for creating innovative
programs, by the same token they deserve to be punished if they
restrict the use of these programs.
- Richard Stallman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGqO0Jg6qL2BGnx4QRAmdmAJ4yfxhGZV6T59UtqmA2rusIu0Zh8QCgpqu/
F9khOM1a4jbHkIZXTCNxCvM=
=ZK00
-----END PGP SIGNATURE-----
Reply to: