* and then Colin Guthrie declared....
> Nick Wilson wrote:
> > I think you're on the right track Col. I did a whole bunch more
> > searching and the one thing I kept hearing was that no matter what you
> > try, you just cant get the webserver to exec the script as another user
> > -- so even if im saying 'nick@server' in both parts of the scp command,
> > it's still being exec'd as apache, and apache has no home, and no .ssh
> > dir.
>
> The program on the webserver will always be executed as the user that
> runs the webserver. The nick@ bit is purely the syntax used by the
> program in question, in this case scp.
>
> I'm sure it will be possible to get the apache user to run SCP, even if
> the user does not have a home directory specified.
>
> > i've tried putting the perms on that dsa file directly as the apache
> > user and even putting it eleshwere in teh filesystem but nothing seems
> > to work
> >
> > As i dont have the ssh2 ext on this setup, and have no desire to go
> > messin with new extensions it looks like im going to have to go gthe nfs
> > route on this problem unless anyone has done this before and knows an
> > answer?
>
> Assuming you have root on the box in question, you could write a shell
> script that does what you need then run it from apache via the sudo
> command. Provided you configure /etc/sudoers to allow the apache user to
> run your script without a password, it should work. As it's only allowed
> to run that one script, it is also fairly secure.
>
> E.g.
> /usr/bin/transfer_image.sh:
> #!/bin/bash
>
> if [ -z "$1" ]; then
> echo "No input file."
> exit 1
> fi
> scp "$1" nick@xxxxxxxxxxxxxxxx:/var/www/images/
>
>
> And then in apache:
> exec("sudo -u nick /usr/bin/transfer_image.sh $file");
>
> (obviously escape $file with the escape_shell_cmd() func.)
>
> /etc/sudoers should contain something like:
> apache ALL = (/usr/bin/transfer_image.sh) NOPASSWD: ALL
That makes a lot of sense. I wasnt aware sudoers could be used for
individual tasks. im not having much luck with it, I suspect it's cos
what apache really needs permission to do is to 'sudo -u nick' right?
--
Nick Wilson
http://performancing.com/user/1
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
