LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   Scripts with root privileges launched from a web browser (https://www.linuxquestions.org/questions/programming-9/scripts-with-root-privileges-launched-from-a-web-browser-537630/)

unforkable 03-15-2007 02:53 AM
Scripts with root privileges launched from a web browser
 
Hello,
I am currently developping a web-based administration interface, using php.
My question is:
How can I launch scripts requiring root privileges from the web browser?

Example: an interface to launch snort with a button that will trigger: /etc/init.d/snort start


Thanks guys in advance.

win32sux 03-15-2007 04:29 AM
Moved: This thread is more suitable in Programming and has been moved accordingly to help your thread/question get the exposure it deserves.

unforkable 03-15-2007 04:56 AM
Thank you win32sux :)
I hesitated between putting it here or in the security section, because yes it is more a programming question. But somehow there's a security concern! let me explain:


First I used a technique of escalating privileges for running root commands: but having two compiled C programs launched by the web page: the first being owned by www-data, and the second by root with setuid bit.

Yes you guessed it : too complicated!
But it had the advantage of having multiple C programs running each a specific command (predefined), with a low possibility of seeing a random command run.


Now setuid scripts can't be run root.
So I'm trying su-php with minuid = 0! but it seems to me a big security concern!

Thanks for giving advises!

graemef 03-15-2007 05:14 AM
Would it help if you sudo the privilages to apache user? (or whoever the web server runs under?)

bigearsbilly 03-15-2007 08:15 AM
what about an application server?
I use a simple one I knocked up at work for simple intranet CGI stuff.
I was using so many network transactions I made a generic app to save rewriting networking code.

the CGI makes a client request, the server runs on another machine and deals with it.
so the server runs under whomever you want.

I have a bunch of scripts in a special location, which are run by the server when
requested. It's dead simple.
So you need a new command just add a new shell script wrapper and call it from the CGI script.

A bit like rsh but a bit safer as the scripts can only be in a certain location.

nx5000 03-15-2007 08:37 AM
A few things here:
https://www.linuxquestions.org/quest...d.php?t=452660

unforkable 03-15-2007 09:12 AM
Thank you guys very much!
I really appreciate! I'm gonna give it a shot, and think about each suggestion.
Thanks again :).


All times are GMT -5. The time now is 01:10 PM.