|
|
Posted by Matthew Weier O'Phinney on 10/19/02 11:24
First off, Roger, Thomas, not sure which is your given name -- please
use a mail or news agent that will wrap your lines with linebreaks at 72
characters. Some of us are on text-based clients, and it's difficult to
read your posts when they extend beyond the screen boundaries... ;-)
* Roger Thomas <sniper@home.net.my> :
> OK. I am able to setup remote key authentication between svrA and
> svrB. From svrA I can login to svrB with something like
> [www@svrA www]$ ssh www@svrB
>
> and I can also execute a shell script like
> [www@svrA www]$ ssh www@svrB /tmp/test.sh
>
> On svrA I have a PHP script like so:
> <?
> system('ssh www@svrB /tmp/test.sh someDIR');
> ?>
>
> /tmp/test.sh on svrB is only a one liner like so:
> mkdir /tmp/$1
>
> I ran the script from the browser but the /tmp/someDIR is not created :(
> Could it be that user nobody on svrA is *not* allowed to connect to
> svrB because the public key belongs to user www ? How do I rectify
> this ?
>
> In the actual situation, I need to execute a shell script in svrB
> (from browser served by Apache on svrA) that only root can run. Please
> advise. I am getting very worried.
Okay, I should have been a little more explicit.
There are two ways I've done this. The initial details are different,
but the final call is pretty much the same.
1. Using sudo
'sudo' allows users to run commands as different users. In this case,
we want the user running the web server (usually www, apache, or
nobody) to run ssh, or a script that executes the ssh command, as a
normal user. I usually opt for the latter, and create a script such
as:
#!/bin/bash
exec ssh user@svrA /path/to/remote/script
and save it in /usr/local/bin. Then, edit sudoers (usually executing
'visudo' as root), and add a line like
nobody ALL = (username) NOPASSWD: /usr/local/bin/SCRIPTNAME
What this does is to allow the user 'nobody' (or whomever runs the
web server process) to execute /usr/local/bin/SCRIPTNAME as
'username', and they do not need to enter a password to do so
(normally with sudo you do).
You'll need to restart the webserver after granting the sudo
privileges.
In this scenario, the normal user, specified by 'username' above,
needs to have the the SSH keys setup between the servers.
2. Give the web user a home directory
The other option is to setup a home directory for the web user. This
will mean editing the /etc/passwd file to give the web user both a
home directory and a shell; these are teh last two items in the colon
delimited list. A sample entry might look like:
nobody:x:65534:65534:nobody:/var/www:/bin/bash
Once you've done this, restart the web server. At this point, you'll
then need to become the web user briefly in order to:
* generate an SSH key
* send the key to the remote server
Then, on the remote server, add the SSH key to the appropriate user
on that system.
Good luck!
> Quoting Matthew Weier O'Phinney <mweierophinney@gmail.com> :
>
> > * Roger Thomas <sniper@home.net.my> :
> > > My PHP script is in svrA. How do I run a shell script in svrB?
> > > svrB does not have PHP and Apache :(
> > > Is this at all possible? Please advise.
> >
> > Use ssh. You will have to setup remote key authentication from svrA to
> > svrB (so that a password will not be needed), and then in your script
> > you would call:
> >
> > system('ssh svrB /path/to/scriptToRun');
--
Matthew Weier O'Phinney
Zend Certified Engineer
http://weierophinney.net/matthew/
Navigation:
[Reply to this message]
|