PHP Security Question

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Patrick McDonnell
    #1

    PHP Security Question

    Here's my situation: I'm working on a PHP application that adds user
    accounts to my system. However, the PHP script runs on the webserver,
    while the accounts need to be created on a different box, which I'll refer
    to as "master". Right now, on "master" I have a script which can create
    and destroy directories in /home, and set permissions, etc. The script is
    run by a shell_exec(ssh master sudo homeDirManage.s h create $USER). I have
    setup the web server user to be able to ssh to master without a password,
    and use sudo to run homeDirManage.s h without a password. What I'm worried
    about is that any other user able to put up their web page can do the exact
    same thing, and delete home dirs. Is there a more secure way to do this?
    Tags: None
    • Michael Vilain
      #2
      Re: PHP Security Question

      In article <BO2dna4r3r2smM rcRVn-uw@comcast.com> ,
      Patrick McDonnell <pmcdonnell@mun cc.marmionacade my.org> wrote:
      [color=blue]
      > Here's my situation: I'm working on a PHP application that adds user
      > accounts to my system. However, the PHP script runs on the webserver,
      > while the accounts need to be created on a different box, which I'll refer
      > to as "master". Right now, on "master" I have a script which can create
      > and destroy directories in /home, and set permissions, etc. The script is
      > run by a shell_exec(ssh master sudo homeDirManage.s h create $USER). I have
      > setup the web server user to be able to ssh to master without a password,
      > and use sudo to run homeDirManage.s h without a password. What I'm worried
      > about is that any other user able to put up their web page can do the exact
      > same thing, and delete home dirs. Is there a more secure way to do this?[/color]

      How about sending an email, signed a special way with some sort of MD5
      hash, that gives particulars on how to create the account to the remote
      system. A script would execute, authenticate the hash, and perform the
      account add or other action.

      --
      DeeDee, don't press that button! DeeDee! NO! Dee...



        Comment

        • Chung Leong
          #3
          Re: PHP Security Question


          "Patrick McDonnell" <pmcdonnell@mun cc.marmionacade my.org> wrote in message
          news:BO2dna4r3r 2smMrcRVn-uw@comcast.com. ..[color=blue]
          > Here's my situation: I'm working on a PHP application that adds user
          > accounts to my system. However, the PHP script runs on the webserver,
          > while the accounts need to be created on a different box, which I'll refer
          > to as "master". Right now, on "master" I have a script which can create
          > and destroy directories in /home, and set permissions, etc. The script is
          > run by a shell_exec(ssh master sudo homeDirManage.s h create $USER). I[/color]
          have[color=blue]
          > setup the web server user to be able to ssh to master without a password,
          > and use sudo to run homeDirManage.s h without a password. What I'm worried
          > about is that any other user able to put up their web page can do the[/color]
          exact[color=blue]
          > same thing, and delete home dirs. Is there a more secure way to do this?[/color]

          Instead of the web server pushing the user info to the master, have the
          master pull the info from the web server. As long as the page that master
          reads is secured, there is no easy way for another user on the web server to
          compromise the system.



            Comment

            Previous template Next
            Working...