Thanks Matthew. You and Richard have been very helpful. I should be able to carry on. Thank you again.
--
Roger
Quoting Matthew Weier O'Phinney <mweierophinney@xxxxxxxxx>:
> First off, Roger, Thomas, not sure which is your given name --
> please
> use a mail or news agent that will wrap your lines with linebreaks at
> 72
> characters. Some of us are on text-based clients, and it's difficult
> to
> read your posts when they extend beyond the screen boundaries... ;-)
>
> * Roger Thomas <sniper@xxxxxxxxxxx> :
> > OK. I am able to setup remote key authentication between svrA and
> > svrB. From svrA I can login to svrB with something like
> > [www@svrA www]$ ssh www@svrB
> >
> > and I can also execute a shell script like
> > [www@svrA www]$ ssh www@svrB /tmp/test.sh
> >
> > On svrA I have a PHP script like so:
> > <?
> > system('ssh www@svrB /tmp/test.sh someDIR');
> > ?>
> >
> > /tmp/test.sh on svrB is only a one liner like so:
> > mkdir /tmp/$1
> >
> > I ran the script from the browser but the /tmp/someDIR is not
> created :(
> > Could it be that user nobody on svrA is *not* allowed to connect
> to
> > svrB because the public key belongs to user www ? How do I rectify
> > this ?
> >
> > In the actual situation, I need to execute a shell script in svrB
> > (from browser served by Apache on svrA) that only root can run.
> Please
> > advise. I am getting very worried.
>
> Okay, I should have been a little more explicit.
>
> There are two ways I've done this. The initial details are
> different,
> but the final call is pretty much the same.
>
> 1. Using sudo
> 'sudo' allows users to run commands as different users. In this
> case,
> we want the user running the web server (usually www, apache, or
> nobody) to run ssh, or a script that executes the ssh command, as
> a
> normal user. I usually opt for the latter, and create a script
> such
> as:
>
> #!/bin/bash
> exec ssh user@svrA /path/to/remote/script
>
> and save it in /usr/local/bin. Then, edit sudoers (usually
> executing
> 'visudo' as root), and add a line like
>
> nobody ALL = (username) NOPASSWD: /usr/local/bin/SCRIPTNAME
>
> What this does is to allow the user 'nobody' (or whomever runs
> the
> web server process) to execute /usr/local/bin/SCRIPTNAME as
> 'username', and they do not need to enter a password to do so
> (normally with sudo you do).
>
> You'll need to restart the webserver after granting the sudo
> privileges.
>
> In this scenario, the normal user, specified by 'username' above,
> needs to have the the SSH keys setup between the servers.
>
> 2. Give the web user a home directory
> The other option is to setup a home directory for the web user.
> This
> will mean editing the /etc/passwd file to give the web user both
> a
> home directory and a shell; these are teh last two items in the
> colon
> delimited list. A sample entry might look like:
>
> nobody:x:65534:65534:nobody:/var/www:/bin/bash
>
> Once you've done this, restart the web server. At this point,
> you'll
> then need to become the web user briefly in order to:
>
> * generate an SSH key
> * send the key to the remote server
>
> Then, on the remote server, add the SSH key to the appropriate
> user
> on that system.
>
> Good luck!
>
> > Quoting Matthew Weier O'Phinney <mweierophinney@xxxxxxxxx> :
> >
> > > * Roger Thomas <sniper@xxxxxxxxxxx> :
> > > > My PHP script is in svrA. How do I run a shell script in svrB?
> > > > svrB does not have PHP and Apache :(
> > > > Is this at all possible? Please advise.
> > >
> > > Use ssh. You will have to setup remote key authentication from
> svrA to
> > > svrB (so that a password will not be needed), and then in your
> script
> > > you would call:
> > >
> > > system('ssh svrB /path/to/scriptToRun');
>
> --
> Matthew Weier O'Phinney
> Zend Certified Engineer
> http://weierophinney.net/matthew/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
---------------------------------------------------
Sign Up for free Email at http://ureg.home.net.my/
---------------------------------------------------
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
