RE: Running httpd as root on a Linux machine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Why not use sudo to execute the commands through Apache?  At least then you
don't leave yourself open to an injected "dd if=/dev/random of=/dev/sda" or
the likes.

To setup sudo privs, you would need to edit /etc/sudoers and add:

httpd ALL=(ALL) NOPASSWD: /usr/bin/who,/usr/bin/ssh,/usr/bin/lynx

Then to execute the commands in Apache, run "/usr/bin/sudo
/path/to/command".

Hopefully this will be acceptable (I'm assuming the configuration scripts
try to execute commands on the server that would require root privs).

----
Graham Frank
Neoservers LLC - Founder and Owner
Ph: (608) 359-1593
Member of the Better Business Bureau   


-----Original Message-----
From: Ron Lee [mailto:ronberlin@xxxxxxxxxxxxxx] 
Sent: Monday, August 06, 2007 5:21 AM
To: users@xxxxxxxxxxxxxxxx
Subject:  Running httpd as root on a Linux machine

Hi all,

I want to perform remote network configuration on a Linux machine via
web interface. I thought that I can use PHP for this purpose. When I
click on a certain button, I want certain configuration scripts
executed on the Linux machine. So far that works fine.

The problem I have is that my configuration scripts need root
privilege to run but the httpd deamon runs as "apache user". Is it
possible to run httpd as root? I know that this is a big security risk
but I still want to do this to meet my project requirements.

Thanks for any help!!

Ron

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux