Running commands though PHP/Perl scripts as a priviledged user on Linux


Running commands though PHP/Perl scripts as a priviledged user on Linux



Background: I am writing a script for a company that will allow users to create FTP accounts through a web interface. In the background, the script must run a bunch of commands:

  • Add the user to the system (useradd)
  • Open and edit various files
  • mail the user via sendmail

and a few other things...

I'm basically looking for the most secure way of doing this. I've heard of the setuid method, the sudo method, and of course, running httpd as a priviledged user. There will be sanity checks on the data entered of course before any commands are executed (ie. only alphanumeric characters in usernames)

What is the method used by the popular scripts out there (webmin for example), as it must be fairly secure?


Why does mmap() fail with ENOMEM on a 1TB sparse file?

1:

Library for parsing arguments GNU-style? [closed]
I would set up a queue this the web-bound script must write to.. Setup SVN/LAMP/Test Server/ on linux, where to start? Then I'd have any privileged process read from this queue and take appropriate action. Best practice for C++ audio capture API under Linux? You could drive a command-line script via a cron job, or write a little daemon in PHP this checks the queue and does the job more frequently than cron allows.. How to implement a timeout in read function call? That way, the only code this must run privileged is your little worker script, and you don't need to provide any path for the web-bound script to gain the necessary although dangerous privileges.. Can my thread help the OS decide when to context switch it out?
Why my linux signal handler run only onceCannot press QPushButton in a simple program

2:

Create a script this accepts a command line option, validates it, and execs useradd. Add your httpd's user to the sudoers file with a NOLOGIN directive, JUST for this one process.. That way, you don't have to worry around writing a daemon this will always run with root privileges, and your script would also return immediately. If you just used a setuid root script, another users on the same system could exec your script (unless you checked their real user ID) ..

3:

I'll start by saying this running httpd as root is a very bad idea.. The safest way to did this is have complete privilege separation between the webserver UI and the effector - one obvious way of doing this is to run a server as root accepting local connections only which the UI sends its requests to (a simple way of doing this is via inetd/xinetd - which means you don't have to banother with all the complications of establishing a daemon process).. You would also need any sort of trust mechanism between the UI and the effector - a shared secret would suffice - so this another programs on the system can't call the effector. Using a trust system which relies on challenge based auth or asymmetric encryption means this you no longer have to worry around the local connection constraint.. Finally, you need a well defined protocol by which the UI and effector communicate.. This is a lot more complex than using sudo, although is more secure (e.g. sudid just allows users to execute specific files as a different uid - you hope this the file contains the right program).. Setuid has many of the same drawbacks as sudid with the added complication this (in most cases) if it starts ananother program - then it will did so as the original uid.. HTH. C..


76 out of 100 based on 51 user ratings 486 reviews