Re: How to generate script with Apache and run it by root avoiding to "kill" security

To: debian-user@lists.debian.org
Subject: Re: How to generate script with Apache and run it by root avoiding to "kill" security
From: "Guillermo Garron" <guillermo.fedora@gmail.com>
Date: Thu, 26 Jul 2007 17:37:48 -0400
Message-id: <[🔎] 865773ce0707261437w2414f2a5sbba61dceb5c38f23@mail.gmail.com>
In-reply-to: <[🔎] 20070726185049.GA28648@digital-haze.net>
References: <[🔎] 865773ce0707260818t7bf8b8ffke0abb169cf0e6281@mail.gmail.com> <[🔎] 20070726185049.GA28648@digital-haze.net>

On 7/26/07, Michael Pobega <pobega@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> > Hi List,
> >
> > I am creating a PHP small program that will interact with MySQL and
> > will have the policies for the people in my office, i.e.:
> > Who can or can not access MSN messenger
> > Who can or can not access WWW
> >
> > etc. once this is stored, a shell script with the iptables rules
> > should be created, and then run.
> >
> > I do not want to run it with Apache, so I was thinking on creating a
> > CRON job that will run it as root once every n minutes, but the issue
> > i see here, is that if somebody "break" my Apache security he will be
> > able to create any script he likes and my CRON will run it, killing my
> > server security.
> >
> > any better ideas about how can I achieve my goal?
> >
> > thanks in advance.
> >
> > best regards.
> >
>
> Make a user specifically for this job that can access /sbin/iptables
> through sudo, and make the script do just that, access iptables using
> sudo and this new account.
>
> Then make sure the bash script is owned by the new accounts, and root's
> group, and chmod the script to r-xrwxr-- by doing:
>
> chmod u+rx g+rwx o+r u-w o-wx /path/to/script
>
> This *should* achieve what you are trying to do...It's a bit messy but
> in the end it will pay off, the only way I can see this being abusable
> is if someone gets access to your root account.

Thank you all for your help, I will take that into account, personally
I like the Michael's aproach, thanks.

Answering to Andrew, what I need to do is that only one person (The
administrator of this network -not a Linux guy-) have access to this
webpage using .htaccess or some other Apache security, but I want to
add more security to this, and that is why I have posted here, thanks
you all gave a good point to start.

best regards.

-- 
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using FC6, CentOS4.4 and Ubuntu 6.06)
http://feeds.feedburner.com/go2linux
http://www.go2linux.org

Reply to:

References:
- How to generate script with Apache and run it by root avoiding to "kill" security
  - From: "Guillermo Garron" <guillermo.fedora@gmail.com>
- Re: How to generate script with Apache and run it by root avoiding to "kill" security
  - From: Michael Pobega <pobega@gmail.com>

Prev by Date: Re: Stability issues
Next by Date: Re: Getting wake-on-lan to work in Etch
Previous by thread: Re: How to generate script with Apache and run it by root avoiding to "kill" security
Next by thread: How Debian BTS and its tools can be improved (user poll).
Index(es):
- Date
- Thread