|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Running Apache CGI scripts as root?
|
On 11:10 Wed 13 Jan , Mike Sheinberg wrote:
> So, I'm trying to solve an issue at my work where I need particular CGI
> scripts to have root access to a number of binaries. I have been messing
> with the sudoers file to try to grant this access to the particular
> binaries in question without requiring a password but since the 'apache'
> account has no shell (apache:x:48:48:Apache:/var/www:/sbin/nologin)� I get
> the following error:
>
> [error] [client xxx.xxx.xxx.xxx] sorry, you must have a tty to run sudo,
> referer: [1]https://xxxx.xxx.xxx/xxx.py.
>
> After some searching some people seemed to recommend trying the apache
> module 'suexec' but it seemed a bit fishy to me so I thought I'd ask good
> ol' PLUG for some best practices advice on solving this issue. I'd also
> like to keep the
>
> Defaults requiretty
>
> setting in the /etc/sudoers file if possible (due to security concerns).
>
> Thanks!
> Mike
Its possible SUExec will do what you want. It was kind of designed to do
the opposite, secure scripts rather than de-secure them, but I think if
you bang on it enough you may be able to get it to run scripts as root.
Alternately, maybe giving apache (the user) a shell like rssh[1] will allow it to
execute the scripts through sudo without opening it up too much?
Claude
[1] http://www.pizzashack.org/rssh/
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|