[SOLVED] CGI scripts that require elevated privilege

RicCrouch · 03-03-2016, 09:22 AM

Hi,
First, the situation.... user has two servers: one live, one development. User wants the capability to swap between the two using a button/link on a web page. This would result in a change to a config file which the web user obviously wouldn't ordinarily have access to.

I figure I can use a link to trigger a CGI script which changes the config file, but how do I allow the script to have the access to the config file without hardcoding the password into it?

Sorry this isn't terribly detailed--I can fill in the gaps as need be, but I didn't want to get too "in the weeds" right off the bat if it's not needed.

Thanks,
Ric

TenTenths · 03-03-2016, 09:31 AM

You could add the webserver user to sudoers for a specific task and then have your CGI script call "sudo /whatever/the/script/is"

RicCrouch · 03-03-2016, 09:35 AM

But how does the webserver enter the sudo password? By that I mean if I am sitting at a terminal and use "sudo <command>", I am checked against the sudoers file then prompted for my password.

(I am brand new to CGI,so I'm not used to having communicate back to an HTML page!

)

Thanks!

TenTenths · 03-03-2016, 09:38 AM

sudoers can be set up to execute without a password. Just make sure you restrict it to only run the one script elevated.

TB0ne · 03-05-2016, 09:19 AM

Quote:

Originally Posted by RicCrouch

But how does the webserver enter the sudo password? By that I mean if I am sitting at a terminal and use "sudo <command>", I am checked against the sudoers file then prompted for my password.

(I am brand new to CGI,so I'm not used to having communicate back to an HTML page!

)

As TenTenths noted, you can set that user up to not need a sudo password. But, what kind of security will you have on that web page, to make sure some random person doesn't click that button?

You could put some rudimentary security in place with a .htaccess file, so unless you were set up beforehand, you couldn't load the page. If it's database driven, a simple web form to prompt for user/password that's already in the database would suffice. And neither may be needed in your situation...just an observation.

pan64 · 03-05-2016, 09:26 AM

I would rather use different files to read those setups and user only allowed to change which one to use.

rknichols · 03-05-2016, 10:01 AM

Quote:

Originally Posted by TB0ne

As TenTenths noted, you can set that user up to not need a sudo password. But, what kind of security will you have on that web page, to make sure some random person doesn't click that button?

You can also set it up so that the "NOPASSWD" applies just to one, specific command, including a specific set of arguments. For example, one line of my sudoers file is

Code:

rnichols omega-3g,localhost = NOPASSWD: /sbin/iptables -t mangle -vnxL

which allows my otherwise unprivileged cron job to examine the packet and byte counts in some iptables rules without needing a password. But, that's all it can do. Anything else would require a password.

TB0ne · 03-05-2016, 10:57 AM

Quote:

Originally Posted by rknichols

You can also set it up so that the "NOPASSWD" applies just to one, specific command, including a specific set of arguments. For example, one line of my sudoers file is

Code:

rnichols omega-3g,localhost = NOPASSWD: /sbin/iptables -t mangle -vnxL

which allows my otherwise unprivileged cron job to examine the packet and byte counts in some iptables rules without needing a password. But, that's all it can do. Anything else would require a password.

Very true, and well noted. I was thinking more towards web-page security...even with a single-command sudoer's file, I personally wouldn't want some random person just clicking a button to modify system configs.

RicCrouch · 03-06-2016, 08:43 PM

Unsurprisingly, faced with the issues, the user decided it was just too complex.

Thanks, all!
Ric