Author: Dominic Cleal Date: To: lug, Hampshire LUG Discussion List Subject: Re: [Hampshire] Running a script that needs to do a rooty thing
On 26/11/10 21:04, Vic wrote: >> It would be daft to make www-data a sudoer and I'm not sure how I would do
>> that anyway. Any ideas on how to achieve this, or alternatives?
>
> Factor out the couple of bits that need root privilege, and put them in
> their own scripts. Make those scripts executable only by the www-data
> user, and then make them setuid.
>
> Your main script can then run with reduced privilege, and call the setuid
> ones as necessary.
You probably won't be able to do this, setuid scripts are usually
blocked by the OS.
It'd be difficult to write a setuid script securely as environment
variables (e.g. PATH, LD_LIBRARY_PATH) could be used to make the script
run all sorts of things the author didn't intend. apachectl itself is
also a script, so might also be susceptible to attack.
On 26/11/10 18:15, Victor Churchill wrote: > It would be daft to make www-data a sudoer and I'm not sure how I
> would do that anyway. Any ideas on how to achieve this, or
> alternatives?
I'd strongly recommend using sudo, it isn't daft. It's really easy to
configure, it gives you auditing via syslog and should run the command
in a secure environment out of the box.
Add a line to the bottom of /etc/sudoers similar to:
www-data ALL = (root) NOPASSWD: /usr/sbin/apachectl graceful
The www-data user will be able to only run the single command with the
exact set of arguments given. Then just run "sudo apachectl graceful"
from your script.
