Re: Problems with permissions
Alex Efros <powerman <at> powerman.name>
2008-04-04 10:32:41 GMT
On Fri, Apr 04, 2008 at 11:15:56AM +0100, M?rio Gamito wrote:
> How do I turn this around so that Apache executes add-alias and make
> command without compromising (at least too much) security ?
You can't do this without compromising security. If your PHP script able
to modify DNS zone file, then any other CGI/PHP on same server also able
to modify DNS zone file.
There different ways to setup this:
1) You can just set permissions for /service/tinydns/root/data* to
nobody:nobody (apache's user).
2) You can have copy of tinydns's data file in private directory of your
PHP script, your PHP will modify that data file, and then, every X
minutes cron script (running as root) will copy data file from that
PHP script's private directory to /etc/tinydns/root/ and run
3) You can add something like this to /etc/sudoers:
nobody ALL= NOPASSWD: /usr/bin/make -C /service/tinydns/root/
and run this command using sudo from PHP script (you'll need similar
configuration in /etc/sudoers for running add-alias).
4) You can create special SUID script which will modify data file.
Personally I recommend 1) if you don't bother changing permissions on
tinydns data* files OR 3). The 2) is add needless complexity with cron
script, the 4) is more unsecure than others because chances are you'll
have bugs in your SUID script.
If you need secure way to do this - you'll need to run your PHP script
under UID dedicated to that script instead of general apache's user
"nobody". This can be done using apache's SUEXEC or external FastCGI
daemon. This way, plus using 1) or 3), you should be as secure as your PHP