filehandling and system() permissions.

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mikeisgreat@gmail.com
    #1

    filehandling and system() permissions.

    Hi,

    I am pretty new to php and have a few questions.

    I am creating an Apache admin tool for some less "linux-able" users at
    my job.
    My tool needs to be able to 'restart' apache on 3 different servers
    being that it is a cluster.

    I have a shell script that I write that uses 'ssh' to accomplish this
    but only if I am root or in the sudoers file.
    How would I allow the user via my web tool enough privileges to restart
    apache? I know I can add the 'www' user which apache is running as to
    the sudoers file and explicitly allow running the 'apachectl' command,
    but I don't feel safe doing this... I'm hoping someone with more
    epxperience can give me some ideas.

    what is the difference between using system(), exec(), shell_exec() etc
    .... here is how I was thining of doing it. Of course, I still have my
    perm problem.
    if(isset($_POST["restart"]))
    {
    $restart = shell_exec('/usr/sbin/apachectl restart 2>&1'); #send
    stdout/stderr to the browser
    echo $restart;
    }

    Also, my form appends ^M end of line chars to the file. Apache is
    running on RHEL 4. Is there a simple way to not let the form submission
    append ^M?

    Any help is appreciated.
    Thanks for your time.

    --Mike

    Tags: None
    • Colin McKinnon
      #2
      Re: filehandling and system() permissions.

      mikeisgreat@gma il.com wrote:
      [color=blue]
      >
      > I am creating an Apache admin tool for some less "linux-able" users at
      > my job.
      > My tool needs to be able to 'restart' apache on 3 different servers
      > being that it is a cluster.
      >[/color]

      ....and presumably you are thinking of running this via apache.

      Working out how to sort out the privilege thing is trivial compared to the
      other problems you will have if you try to control apache VIA apache.

      For 3 machines, I'd say install webmin and leave it at that.
      [color=blue]
      > I have a shell script that I write that uses 'ssh' to accomplish this
      > but only if I am root or in the sudoers file.[/color]

      Yes - there's good reasons why you need to be root, or in the sudoers.
      [color=blue]
      > How would I allow the user via my web tool enough privileges to restart
      > apache? I know I can add the 'www' user which apache is running as to
      > the sudoers file and explicitly allow running the 'apachectl' command,
      > but I don't feel safe doing this...[/color]

      Very not safe. I would be wary about doing this on a private lan - and NEVER
      on a machine connected to the internet.
      [color=blue]
      >
      > what is the difference between using system(), exec(), shell_exec() etc
      > ... here is how I was thining of doing it. Of course, I still have my
      > perm problem.
      > if(isset($_POST["restart"]))
      > {
      > $restart = shell_exec('/usr/sbin/apachectl restart 2>&1'); #send
      > stdout/stderr to the browser[/color]

      This isn't going to work if you are running via apache. You are killing of
      the parent process of the apachectl, Therefore it will terminate, probably
      before starting apache again. You need to either run a second webserver on
      a different port or interface or dissociate apachectl from the process grop
      of apache.

      C.

        Comment

        • mikeisgreat@gmail.com
          #3
          Re: filehandling and system() permissions.

          Well, correct...

          it would be apache on apache .. but the admin tool would run on a
          machine sperate from the webservers it needs to restart, but on the
          same network

          I have a script that restartarts all three apaches ....

          is there a safer way to run this script via apache? The script is run
          my a user that has 'sudo' privz to restart all apaches with no
          password.

          I am guessing there is not easy way to tell apache to run this script
          as this user?

          thanks.

            Comment

            • Jerry Stuckle
              #4
              Re: filehandling and system() permissions.

              mikeisgreat@gma il.com wrote:[color=blue]
              > Well, correct...
              >
              > it would be apache on apache .. but the admin tool would run on a
              > machine sperate from the webservers it needs to restart, but on the
              > same network
              >
              > I have a script that restartarts all three apaches ....
              >
              > is there a safer way to run this script via apache? The script is run
              > my a user that has 'sudo' privz to restart all apaches with no
              > password.
              >
              > I am guessing there is not easy way to tell apache to run this script
              > as this user?
              >
              > thanks.
              >[/color]

              There's no safe way to do it. Remember - if you can do it via the website, a
              hacker can do it, also.

              My suggestion - stick with the ssh script.

              --
              =============== ===
              Remove the "x" from my email address
              Jerry Stuckle
              JDS Computer Training Corp.
              jstucklex@attgl obal.net
              =============== ===

                Comment

                Previous template Next
                Working...