|  | Help with passthru() | | |
| | | amalprakash3220 |  |
|  Posted: Wed Aug 27, 2008 3:58 pm Post subject: Help with passthru() |  |
Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ? |
| |
| | | Jerry Stuckle | |
| | Posted: Wed Aug 27, 2008 3:58 pm Post subject: Re: Help with passthru() | |
amalprakash3220 wrote:
| Quote: | Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
|
You can do it, with the right authority. But you need to be very
careful - one slip and you can open your system to hackers with all
kinds of possibilities.
You might look into webmin - it does much of that already, and is
probably more secure than you (or any one person) would write yourself.
And there are others out there, also (some commercial).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | Jeff | |
| | Posted: Wed Aug 27, 2008 3:58 pm Post subject: Re: Help with passthru() | |
| |  | |
Jerry Stuckle wrote:
| Quote: | amalprakash3220 wrote:
Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
You can do it, with the right authority.
|
Can you elaborate on this a bit.
I wanted to run some ImageMagick commands through an exec and ran
into permissions issues. Yet, I could do stuff like ls -al. Is this an
ownership issue or what?
But you need to be very
| Quote: | careful - one slip and you can open your system to hackers with all
kinds of possibilities.
You might look into webmin - it does much of that already,
|
I don't believe that there is anyone who really understands webmin.
There's a handful of things that I can do in it, but mostly it's
inscrutable. Easier to use a command line. I spent a couple weeks trying
to figure it out and gave up.
I'd like the same thing. Haven't had time yet to learn bash scripting.
Jeff
and is
| Quote: | probably more secure than you (or any one person) would write yourself.
And there are others out there, also (some commercial).
|
|
| |
| | | Jerry Stuckle | |
| | Posted: Wed Aug 27, 2008 4:06 pm Post subject: Re: Help with passthru() | |
| | | |
Jeff wrote:
| Quote: | Jerry Stuckle wrote:
amalprakash3220 wrote:
Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
You can do it, with the right authority.
Can you elaborate on this a bit.
|
Just what I said. You need to study up on Unix security and understand
how it works. Then the web server user (if you're using PHP as a
module) must have permission to perform the requested operations.
Alternatively you can allow PHP to change it's uid, but that's so
dangerous you shouldn't even think about it.
| Quote: | I wanted to run some ImageMagick commands through an exec and ran into
permissions issues. Yet, I could do stuff like ls -al. Is this an
ownership issue or what?
|
Ownership and permissions.
| Quote: | But you need to be very
careful - one slip and you can open your system to hackers with all
kinds of possibilities.
You might look into webmin - it does much of that already,
I don't believe that there is anyone who really understands webmin.
There's a handful of things that I can do in it, but mostly it's
inscrutable. Easier to use a command line. I spent a couple weeks trying
to figure it out and gave up.
|
I've been using it for quite a while. While I do most of my
administration from the command line (because I started doing it long
before tools like webmin existed), it does have its uses. And if you're
going to get into system stuff like user administration (which often
requires root access), it's much more secure than a module you do
yourself. I mainly use it when I need to do something but don't have
ssh access available (like when I'm at a client site).
It has its uses.
| Quote: | I'd like the same thing. Haven't had time yet to learn bash scripting.
Jeff
and is
probably more secure than you (or any one person) would write
yourself. And there are others out there, also (some commercial).
|
System security is nothing to fool with. Even if you know all about it
(which I don't think any one person does), it's still very easy to miss
something. And if a hacker gets it, he can do virtually anything he
wants - from using your server to distribute spam, virii, etc., to
completely wiping out your server. He can even change your passwords so
you're locked out of your own system. Then it's generally time to wipe
the system and reload it from scratch. A lot of hassle for one small error!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | Michael Vilain | |
| | Posted: Thu Aug 28, 2008 2:12 pm Post subject: Re: Help with passthru() | |
| | | |
In article
<050b0d8e-042b-421a-ae0b-042d4587187c@j22g2000hsf.googlegroups.com>,
fred <fred.haab@gmail.com> wrote:
| Quote: | On Aug 27, 11:58 am, amalprakash3220 <amalprakash3...@gmail.com
wrote:
Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
I had a dedicated directory for scripts to be run by the webapp; you
might try looking into setuid to give things just enough permissions
to accomplish what you need or, failing that, use sudo.
I know people will complain it's a security issue (and it is), but
doing system administration over a webserver will never not be a
security risk.
Luckily, in my case, it was a server on our intranet, and I wasn't
doing system administration, I was simply running a few tasks that
couldn't be run as the apache user.
|
Don't use setuid on web scripts! Shame on you for suggesting that
highly insecure and dangerous idea. Fred's penance is to filter spam on
the servers for 1 week.
Use cgiwrap to run the scripts as the logged in user rather than the web
server's ID.
LINK
Or better yet, stop re-inventing the wheel and use webmin.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically by ignored] |
| |
| | | fred | |
| | Posted: Thu Aug 28, 2008 2:54 pm Post subject: Re: Help with passthru() | |
| | | |
On Aug 27, 11:58 am, amalprakash3220 <amalprakash3...@gmail.com>
wrote:
| Quote: | Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
|
I had a dedicated directory for scripts to be run by the webapp; you
might try looking into setuid to give things just enough permissions
to accomplish what you need or, failing that, use sudo.
I know people will complain it's a security issue (and it is), but
doing system administration over a webserver will never not be a
security risk.
Luckily, in my case, it was a server on our intranet, and I wasn't
doing system administration, I was simply running a few tasks that
couldn't be run as the apache user. |
| |
| | | Jerry Stuckle | |
| | Posted: Thu Aug 28, 2008 2:55 pm Post subject: Re: Help with passthru() | |
| | | |
Michael Vilain wrote:
| Quote: | In article
050b0d8e-042b-421a-ae0b-042d4587187c@j22g2000hsf.googlegroups.com>,
fred <fred.haab@gmail.com> wrote:
On Aug 27, 11:58 am, amalprakash3220 <amalprakash3...@gmail.com
wrote:
Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
I had a dedicated directory for scripts to be run by the webapp; you
might try looking into setuid to give things just enough permissions
to accomplish what you need or, failing that, use sudo.
I know people will complain it's a security issue (and it is), but
doing system administration over a webserver will never not be a
security risk.
Luckily, in my case, it was a server on our intranet, and I wasn't
doing system administration, I was simply running a few tasks that
couldn't be run as the apache user.
Don't use setuid on web scripts! Shame on you for suggesting that
highly insecure and dangerous idea. Fred's penance is to filter spam on
the servers for 1 week.
Use cgiwrap to run the scripts as the logged in user rather than the web
server's ID.
LINK
Or better yet, stop re-inventing the wheel and use webmin.
|
I agree on not doing setuid() for the web server. And cgiwrap will
help, also. But you can also create CLI scripts which do specific
things (one thing per script). That script can then do a setuid() with
a bit of safety.
To do it, you'll need to set the setuid bit for the php executable -
which you don't want to allow for everyone. So I suggest making a copy
of the executable, set the setuid bit on the copy and only use the copy
when you need to do the setuid.
Also, make the pages which call them password protected and only
available via ssl.
It's still not totally secure - but it's as secure as using cgiwrap, and
about as secure as you can get while having things available via the web
server.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
|
|
