I would make a cronjob that is executed every few minutes , so apache can still be its own user , you dont need to set anything in sudoers. It might not be realtime but i think for security its a good solution. Graham Frank wrote: > Why not use sudo to execute the commands through Apache? At least then you > don't leave yourself open to an injected "dd if=/dev/random of=/dev/sda" or > the likes. > > To setup sudo privs, you would need to edit /etc/sudoers and add: > > httpd ALL=(ALL) NOPASSWD: /usr/bin/who,/usr/bin/ssh,/usr/bin/lynx > > Then to execute the commands in Apache, run "/usr/bin/sudo > /path/to/command". > > Hopefully this will be acceptable (I'm assuming the configuration scripts > try to execute commands on the server that would require root privs). > > ---- > Graham Frank > Neoservers LLC - Founder and Owner > Ph: (608) 359-1593 > Member of the Better Business Bureau > > > -----Original Message----- > From: Ron Lee [mailto:ronberlin@xxxxxxxxxxxxxx] > Sent: Monday, August 06, 2007 5:21 AM > To: users@xxxxxxxxxxxxxxxx > Subject: Running httpd as root on a Linux machine > > Hi all, > > I want to perform remote network configuration on a Linux machine via > web interface. I thought that I can use PHP for this purpose. When I > click on a certain button, I want certain configuration scripts > executed on the Linux machine. So far that works fine. > > The problem I have is that my configuration scripts need root > privilege to run but the httpd deamon runs as "apache user". Is it > possible to run httpd as root? I know that this is a big security risk > but I still want to do this to meet my project requirements. > > Thanks for any help!! > > Ron > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|