Hi lucmove,
Thanks for your suggestion. I had this sort of solution in my mind originally; but had to give it up for the same reason you have explained.
Though I have mentioned here only about adding new user, I had a whole lot of other stuff to be performed additional to creating the user (of course all of them needed root access).
But, eventually, I have found the following solution:
1. Developed a script(call it my_script) that does what I wanted.
2. Developed an additional script (call it handler_script) that looks similar to the one below:
Code:
readonly PIPE="/tmp/comms_pipe"
# Create the pipe
if [[ ! -p $PIPE ]]; then
mkfifo $PIPE
# Set the permissions for the pipe, so that
# web users can write to it
setfacl -m u:apache:rwx $PIPE
fi
while true
do
if read line <$PIPE; then
if [[ "$line" == 'quit' ]]; then
break
fi
./my_script $line
fi
done
In the above, my_script does all I want according to the parameters passed to it. This way I can control who can communicate to my script and what the user wants my_script to do. Now, I started handler_script as root (you can choose your convenient method - start as a service, run the process in the background etc.); this will wait for inputs from the pipe.
To perform something, from the web application, for example, in PHP, I may call the exec as:
Code:
exec("<path to handler_script> <arguments to my_script>",$output,$result);
This should perform the desired action.
All, please let me know if there is any security risk in this approach.
Thanks