Re: apache (root) + php4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9/3/05, Michelle Konzack <linux4michelle@xxxxxxxxxx> wrote:
> Hello *,
> 
> for an half hour I was at a new customer and they run apache 1.3 as
> root on am IntranetServer because they need to admin there Fileserver
> via php.
> 
> Now some problems:
> 
> 1)  They use exec("mcrypt ....") to generate UNIX passwords for
>    /etc/shadow and I like to know, how I can create suitable md5
>    passwords for it from php.
I'm not totally sure on the format of the passwords in /etc/shadow,
but can you do anything with php's md5 function? If not, then perhaps
the mcrypt extension may do something for you.

> 
> 2)  I like to run apache as www-data and not as root.  How I must
>    setup php/apache that I can do root-stuff because I need to run
> 
>    exec("useradd -c $WA_COMMENT         -d $WA_HOME_DIR      \
>                  -e $WA_EXPIRE_DATE     -f $WA_INACTIVE_TIME \
>                  -g $WA_INITIAL_GROUP   -G $WA_GROUPS        \
>                  -m -k $WA_SKELETON_DIR -s $WA_SHELL         \
>                  -u $WA_UID -p $WA_PASS_MCRYPT $WA_LOGIN")

First of all you inform your client that they are insane. Running
apache as root is completely unnecessary.

to perform the above I'd use a combination of
suExec/suPHP/somethingLikeThat and sudo. I'd create a user called
webuserman (Web User Manager), or something like that, and have the
script run as webuserman. I'd change the useradd..... to sudo
useradd....., and mod the /etc/sudoers file to allow webuserman user
to call the useradd command as root(through sudo).

If you are a lazy bastard, with very little concern for security(which
it seems you're not), you could simply run the script as www-data, and
have sudo allow www-data to do an adduser. I would oppose this
however, in that any php script would be able to use it.

Also make sure you escape your shell arguments. 


> 
> Thanks and nice wekend
> Michelle
> 
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> Michelle Konzack   Apt. 917                  ICQ #328449886
>                   50, rue de Soultz         MSM LinuxMichi
> 0033/3/88452356    67100 Strasbourg/France   IRC #Debian (irc.icq.com)
> 
> 
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux