Guys, I have beat my head (and Google's) against this problem for days and I'm getting no-where, mostly because I'm no programmer!

I have built a server that does everything I want it to, but the users that access the applications on it may need to change some small aspects of the application configs. They are not the sort of people to trust with vi and su access, so I wanted to make it possible for them to use their browser to go to a page delivered by Apache web server, select a task from a list (like "modify configuration 'x'") then get an appropriately formatted snippet (just display the bit of the file relevant to their needs, not the whole 9 yards)of the config file displayed, in a text block. There, they can update the config, hit a "Submit" button, and have the job done.

One of the big difficulties is in managing permissions. I'm not sure how to get a PHP script running out of the /var/www directory, with (presumably) the Apache user's permissions to be able to edit files that live over in /etc/application-directory with who-knows-what permissions (I probably need "su" but that seems risky!).

I know this can be done; what I'm trying to achieve is nothing more than a cut-down version of Webmin, really; I'm just too stupid to create it for myself. If any of you have suggestions, code snippets, ideas for ready-made software that will do the job, I'd be grateful for anything!

Cheers

Yes, it is risky and difficult to do, and you'll probably have to do some risky things to get permissions/move files after editing via PHP, no matter what. In this case, it's a necessary evil.
I know you've stated a goal, but parts of it aren't clear. Like how many users? Would any of them need concurrent access to the file(s) in question? What would happen if two edited it at the same time? Things like that are a consideration.

To make it more simple, you COULD just create an FTP user, with permissions to one directory. The file(s) in question go in there, so the users can use whatever FTP client they want, download the files to their own systems for editing, then upload them. A script running through CRON could then move files/change permissions on a regular basis, or you could use inotify to watch the files for changes, and act accordingly. That gets around a whole lot of work doing it via PHP w/multiple users.

That said, I have done this in the past. This solution reads only one file, but modifications are fairly easy.
Reading file and updating them isn't difficult...the PHP manuals have plenty of documentation on it.

1 members found this post helpful.

You could do the linux version of an NT service. It doesn't have to full blown daemon or anything. Just a cron job that runs once a minute, that checks if the write time of the file that represents their "chunk" has changed. And if it has then build the new config with those changes. The cron job has the perms that the users can't have, but uses the users input to do it's thing. At least that's what it sounds like you're kind of wanting. I did something similar with an NT service once. It would grab files from an FTP server as soon as they appeared. I changed it to wait for the last write time of the file to be older than a minute, so it would stop grabbing it before it finished uploading.

Sorry guys, I should have been more specific, but my mind was a mush after an evening of reading manuals and hitting walls (mostly of my own making!).

The files on the server will be edited by one user only, so a full lock can be applied during all read/write activities.

Thanks for the comments so far, I shall start by trying them...watch this space

No worries...the code provided above should let you edit a file. Change the file name as needed, or incorporate a pull-down list somewhere to pass it along. Don't know what these config files are, but you might be able to change the group ownership on those files to be the same group as your web-server user, then give it write permissions. That's risky, though.

Honestly, if it's just ONE person, I think you're over-thinking the issue. Give them access to the system, and tell them to use vi. If you have backups of those files, you should be covered. You could even chroot them in ssh to only let them see their own home-directory, and create symlinks to those files there. If they can't be trusted, you have their shell-history to take to the boss, and make it VERY clear that you will lay problems back at their feet. This is more of an administrative issue than a technical one, in my opinion.

Hi TB0ne and others,

OK, so I ran the code snippet kindly provided by TB0ne against /etc/network/interfaces (one of the configs I want users to be able to update is the IP address) and while it displays the target file fine in the text box, when I add text to the text box and hit "save changes" the new text is lost and I get the following in /var/log/apache2/error.log:

[Sun Jul 07 20:58:18 2013] [error] [client 127.0.0.1] PHP Warning: fopen(/etc/network/interfaces): failed to open stream: Permission denied in /var/www/configeditor.php on line 15, referer: http://127.0.0.1/configeditor.php
[Sun Jul 07 20:58:18 2013] [error] [client 127.0.0.1] PHP Warning: fwrite() expects parameter 1 to be resource, boolean given in /var/www/configeditor.php on line 24, referer: http://127.0.0.1/configeditor.php
[Sun Jul 07 20:58:18 2013] [error] [client 127.0.0.1] PHP Warning: fclose() expects parameter 1 to be resource, boolean given in /var/www/configeditor.php on line 28, referer: http://127.0.0.1/configeditor.php
root@testbed:/var/www#


Now before I say anything more, let me assure you that the work is being done on a laptop that is outside my main network, has no user data on it, and is simply for testing, so if I get hacked it doesn't matter, but doing the work from root, with little or no security makes for quicker and simpler work. (And yes, I'm a cowboy...Yee Ha! Boots and Spurs!)

The first line is clearly a permissions error, but what do the other two lines mean? Are they just additional symptoms of the munged fopen, and will clear when the permissions are fixed?

During attempts to debug, I noted that the first of the group of errors (where it complains about permissions) occurred after I had ensured that the file I was trying to update was:

root@testbed:/var/www# ls -al /etc/network/interfaces
-rw-rw-r-- 1 root root 277 Jul 5 21:04 /etc/network/interfaces

and configeditor.php was:

root@testbed:/var/www# ls -al configeditor.php
-rw-r--r-- 1 root root 1475 Jul 7 20:51 configeditor.php

I had assumed, apparently wrongly, that if they were both root/root and the target file had read/write permissions on the same group as the PHP script, that it would work. However, the fact that it doesn't then lead me to believe that the "www-data" user was the critical thing: that the target file needed to have R/W access by the www-data user, who I assume would be executing the PHP, so I changed the configeditor.php file to group www-data to see what that did:

root@testbed:/var/www# ls -al configeditor.php
-rw-r--r-- 1 root www-data 1475 Jul 7 20:51 configeditor.php

but got the same set of errors in the log....


Sorry to be such a klutz! I'm a network architect; I'm afraid programming just ain't my strong point....I'm SOOOO nearly there with your code snippet, can you take me just a bit farther?

The file you're trying to EDIT has to be read/writeable by the user who is running the PHP program. Since the /etc/network/interfaces is owned by root, group root, it's not. So, you either have to change the group ownership of the file to be root:www-data, or change permissions to be 666 (-rw-rw-rw). BOTH are dangerous, and may cause other system problems, since you're changing ownership of a system file.

The last two errors are because the program is trying to write to a file it doesn't have permissions to. So, the $writefh isn't valid, and things are dying. Fix the permissions, and it may go away.

I will say again, though, that I think you're going about this the wrong way. If you're wanting someone to be able to edit system control files, either you trust them or not. If you don't, they shouldn't have ANY rights on the system. If they NEED to perform some tasks, then your management needs to step in and make sure they know what will happen if things go sideways. That's the simplest and best way to deal with this.

OK TB0ne, you have spent time on this and I greatly appreciate that; now I need to give you ALL the information...

I am trying to create a networking appliance. I have the core system working perfectly, shipping the "right" data to the "right" places and blocking the "wrong" data. However, to get there, I used vi and not much else, hacking the config files as I needed.

Now having got the core functionality right, I need to make a command and control system, to allow the appliance owner to configure it for themselves, and to read logs. The system will be used once (or not many times, anyway) to configure from build-config to run-config, and occasionally to read logs and tweak configs. This where the previous reference to a "cut-down webmin" came from

I can prevent access to the appliance from unauthorized users, maybe attempting to come in over unauthorized ports by the use of log-ons and ACLs respectively. I want to use a browser to deliver a GUI front-end because everyone has one, everyone is familiar with one, and I can add context-sensitive help (and maybe if I'm clever, some error checking).

Now you see what I'm doing, is PHP the way to go? is there a better way...?

Well, I MUCH prefer PHP over other web-based languages, but asking about "better" is always going to be subjective.

That said, since you have a clear goal in mind, you could just make that config file permissions to be 666, which would let ANY user on the box access it. As I said, it *MIGHT* cause problems...but it might not. It's easy to test, and if things go sideways, just boot into single-user mode and change it back. That would solve your permissions problems, and since there probably won't be any 'real' users on the box, it may not be too much of an issue.

I will say that I've worked with numerous auditing groups before, and in large companies. The web browser is often frowned upon in 'serious' environments, since it (ostensibly), could be hacked easier than other services (like SSH). And speaking as a systems administrator, I cannot STAND appliances that only give me a web interface. If all I have is a terminal, or if I'm somewhere with only my phone, I can do things via SSH. That can't always be said for web-interfaces. Factor in to that that in order for a web interface to work, you'll have to have the web service running, PHP modules installed, etc....and you'll have to keep them up to date, too, since you will not be immune to web vulnerabilities. My $0.02 is that you have it there as an option.

Another point for SSH is that you can tunnel other protocols through it, such as SNMP. If you've got an enterprise monitoring system, you can just plug that appliance into it. As an administrator, would you want to have several DIFFERENT monitoring program running, or just one? And if you're going to sell this, then the onus of security and good practices is on the customer.

I've done things like this in the past...PM me if you want to chat more.

If it's a server and you are file serving locally you can mount the directories to a users local folder and they could use what ever editor they like to change and save them.

This is more or less how a nas can be used. I do this with mine using mount.cifs but mount.nfs should be able to do the same thing. CIFS can be used if the server is running Samba.

The command is

I run this in a console and it requests a password for user john as set up on the server.

mount.nfs will be similar. To use mount.cifs like this on opensuse 11.4 I had to edit the mount.cifs source and recompile. The places that need changing were clearly indicated in the source.

Also possible to add a line to fstab that makes the connection on boot but it needs a credential file with the password in it. Man gives the syntax etc but mounting when needed is more secure.

John
-