Nick Wilson wrote:
> I think you're on the right track Col. I did a whole bunch more
> searching and the one thing I kept hearing was that no matter what you
> try, you just cant get the webserver to exec the script as another user
> -- so even if im saying 'nick@server' in both parts of the scp command,
> it's still being exec'd as apache, and apache has no home, and no .ssh
> dir.
The program on the webserver will always be executed as the user that
runs the webserver. The nick@ bit is purely the syntax used by the
program in question, in this case scp.
I'm sure it will be possible to get the apache user to run SCP, even if
the user does not have a home directory specified.
> i've tried putting the perms on that dsa file directly as the apache
> user and even putting it eleshwere in teh filesystem but nothing seems
> to work
>
> As i dont have the ssh2 ext on this setup, and have no desire to go
> messin with new extensions it looks like im going to have to go gthe nfs
> route on this problem unless anyone has done this before and knows an
> answer?
Assuming you have root on the box in question, you could write a shell
script that does what you need then run it from apache via the sudo
command. Provided you configure /etc/sudoers to allow the apache user to
run your script without a password, it should work. As it's only allowed
to run that one script, it is also fairly secure.
E.g.
/usr/bin/transfer_image.sh:
#!/bin/bash
if [ -z "$1" ]; then
echo "No input file."
exit 1
fi
scp "$1" nick@xxxxxxxxxxxxxxxx:/var/www/images/
And then in apache:
exec("sudo -u nick /usr/bin/transfer_image.sh $file");
(obviously escape $file with the escape_shell_cmd() func.)
/etc/sudoers should contain something like:
apache ALL = (/usr/bin/transfer_image.sh) NOPASSWD: ALL
Col.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
