[nycphp-talk] Safely running root commands
Mitch Pirtle
mitch.pirtle at gmail.com
Sun Feb 27 20:22:16 EST 2005
On Sun, 27 Feb 2005 19:23:47 -0500, Faber Fedor <faber at linuxnj.com> wrote:
>
> I've thought of three ways to do it: 1) have the sysadmin create a sudo
> user that can run the given commands with no password, 2) create a
> sudo user and store his name and password outside of the document root,
> or 3) write some C wrappers and set them suid. I'm not crazy about any
> of these solutions.
When faced with these options, I would choose #1.
> Anybody else have a better idea?
Well back in the old days I would copy the binaries required (when
possible) to a separate path for the httpd/apache user, but I was
always very careful to restrict what the apache user could do.
Your OS on the server may also provide some extra protection (chroot
jails etc.). I'm definitely interested to see what everyone else would
do in this situation.
-- Mitch
More information about the talk
mailing list