[SOLVED] CGI scripts that require elevated privilege
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
First, the situation.... user has two servers: one live, one development. User wants the capability to swap between the two using a button/link on a web page. This would result in a change to a config file which the web user obviously wouldn't ordinarily have access to.
I figure I can use a link to trigger a CGI script which changes the config file, but how do I allow the script to have the access to the config file without hardcoding the password into it?
Sorry this isn't terribly detailed--I can fill in the gaps as need be, but I didn't want to get too "in the weeds" right off the bat if it's not needed.
But how does the webserver enter the sudo password? By that I mean if I am sitting at a terminal and use "sudo <command>", I am checked against the sudoers file then prompted for my password.
(I am brand new to CGI,so I'm not used to having communicate back to an HTML page! )
But how does the webserver enter the sudo password? By that I mean if I am sitting at a terminal and use "sudo <command>", I am checked against the sudoers file then prompted for my password.
(I am brand new to CGI,so I'm not used to having communicate back to an HTML page! )
As TenTenths noted, you can set that user up to not need a sudo password. But, what kind of security will you have on that web page, to make sure some random person doesn't click that button?
You could put some rudimentary security in place with a .htaccess file, so unless you were set up beforehand, you couldn't load the page. If it's database driven, a simple web form to prompt for user/password that's already in the database would suffice. And neither may be needed in your situation...just an observation.
As TenTenths noted, you can set that user up to not need a sudo password. But, what kind of security will you have on that web page, to make sure some random person doesn't click that button?
You can also set it up so that the "NOPASSWD" applies just to one, specific command, including a specific set of arguments. For example, one line of my sudoers file is
which allows my otherwise unprivileged cron job to examine the packet and byte counts in some iptables rules without needing a password. But, that's all it can do. Anything else would require a password.
You can also set it up so that the "NOPASSWD" applies just to one, specific command, including a specific set of arguments. For example, one line of my sudoers file is
which allows my otherwise unprivileged cron job to examine the packet and byte counts in some iptables rules without needing a password. But, that's all it can do. Anything else would require a password.
Very true, and well noted. I was thinking more towards web-page security...even with a single-command sudoer's file, I personally wouldn't want some random person just clicking a button to modify system configs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.