Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm sorry if this actually belongs in the server forum, I wasn't sure if this counted as a server problem or a permissions problem or what, so I put it here.
I'm trying to make a perl script that will add users so they can log in to my computer through an ftp server. The problem is that apache can't seem to use sudo. For example, if I have:
Code:
$output = `/bin/env`;
print "output: $output";
It prints out the environment variables. However, if I put:
it doesn't, $output has nothing in it. The same thing applies for a number of other examples. I have the line "apache ALL=(ALL) NOPASSWD:ALL" in my sudoers, so there shouldn't be any problem there. Has anyone run into this problem before?
Not sure I want to open this can of worms, but here I go anyway...
Don't make your apache user a sudoer. That's defeating the entire purpose of running httpd as an unprivileged user. By doing this, if httpd were to become compromised, the bad guy now has root (via sudo) on the box.
If you're going to allow ftp transfers to your server, then how about just setting up one anonymous account and having everyone use that? (Remember: ftp is a clear text protocol, and requiring authentication credentials is arguably not increasing security.)
I'm only keeping that ALL part in there till I figure out what's wrong. I'm only gonna give apache sudo access to /usr/sbin/useradd after that. I figure that won't give anyone too much leverage over anything. Maybe I'm still wrong though.
What I'm trying to do is make a website similar to dropboks or putfile, except it's gonna be a private thing for me and my friends, so everyone will have more space to work with. I'm having them make an account on my computer which gives them a home folder they can put stuff in (I'll chroot them there too), and after that they can use an ftp client like filezilla or whatever to access their space from anywhere, even if the actual website is blocked (like at my school).
As an alternative, how about a pre-packaged solution? One thing that comes to mind is Dokuwiki, which I use at home and at work. If you allow it, users can create their own accounts, manage content, and upload files. It'd be way better to utilize an already vetted application that sees regular development than trying to kludge together something that will ultimately become a security nightmare.
Quote:
Originally Posted by JackChurchill
I'm only gonna give apache sudo access to /usr/sbin/useradd after that. I figure that won't give anyone too much leverage over anything. Maybe I'm still wrong though.
$ sudo /usr/sbin/useradd -o -u 0 rooted
Game over...
Point taken (even if apache can't seem to run sudo commands right now). I'd still like to know how I might go about doing this though, or how others have done this. I understand it's not very secure, but the only way for me to learn how to secure it (or even partially secure it) is to try. Plus lots and lots of reading, I suppose.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.