|
Posted by Rory Browne on 09/03/05 18:04
On 9/3/05, Michelle Konzack <linux4michelle@freenet.de> wrote:
> Hello *,
>
> for an half hour I was at a new customer and they run apache 1.3 as
> root on am IntranetServer because they need to admin there Fileserver
> via php.
>
> Now some problems:
>
> 1) They use exec("mcrypt ....") to generate UNIX passwords for
> /etc/shadow and I like to know, how I can create suitable md5
> passwords for it from php.
I'm not totally sure on the format of the passwords in /etc/shadow,
but can you do anything with php's md5 function? If not, then perhaps
the mcrypt extension may do something for you.
>
> 2) I like to run apache as www-data and not as root. How I must
> setup php/apache that I can do root-stuff because I need to run
>
> exec("useradd -c $WA_COMMENT -d $WA_HOME_DIR \
> -e $WA_EXPIRE_DATE -f $WA_INACTIVE_TIME \
> -g $WA_INITIAL_GROUP -G $WA_GROUPS \
> -m -k $WA_SKELETON_DIR -s $WA_SHELL \
> -u $WA_UID -p $WA_PASS_MCRYPT $WA_LOGIN")
First of all you inform your client that they are insane. Running
apache as root is completely unnecessary.
to perform the above I'd use a combination of
suExec/suPHP/somethingLikeThat and sudo. I'd create a user called
webuserman (Web User Manager), or something like that, and have the
script run as webuserman. I'd change the useradd..... to sudo
useradd....., and mod the /etc/sudoers file to allow webuserman user
to call the useradd command as root(through sudo).
If you are a lazy bastard, with very little concern for security(which
it seems you're not), you could simply run the script as www-data, and
have sudo allow www-data to do an adduser. I would oppose this
however, in that any php script would be able to use it.
Also make sure you escape your shell arguments.
>
> Thanks and nice wekend
> Michelle
>
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> Michelle Konzack Apt. 917 ICQ #328449886
> 50, rue de Soultz MSM LinuxMichi
> 0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
>
>
>
[Back to original message]
|