A lot depends on how your server is configured. Are you using mod_suexec? If so, what have you set the CGI user to for your virtual host? Is that user given rights in the sudoers file? If not, what rights have you given the server user (e.g. apache) in the sudoers group? Without mod_suexec all scripts run with the rights of the server-wide CGI user (i.e. the user directive in your apache configuration file)
Do you have FollowSymLinks turned on? What is the <Directory> directive set to for /usr/bin, /usr/sbin? On a secure server you will probably have told Apache not to access those directories at all and following symbolic links is probably turned off as well.
In general, exercising sensitive root level commands through a web interface is a really bad idea security wise.
To implement it you would have to violate a key security principle: give services only the rights they need to run and no more. Most of the changes you would have to make would also make your server in general wide open to attack. For example, adding apache to sudoers with ALL rights would essentially let anyone who hacked into your server account also be able to root your entire machine. Knowing the password for the apache user would be enough to run any script for which the apache user had sudoer rights.
And if you've hard coded the password in the script (your code looks like you have) or turned off the password requirement in the sudoer's file because prompting for it got in the way of your CGI script, you'll have even more problems. Even if you were using mod_suexec anyone with rights to install and run CGI scripts for that particular virtual host would share your root privileges with you!
Even if it is a pain, you are still better off doing your root level administration via an ssh connection rather than the web interface. You have much more control over who gets what rights that way.
If you really must do web based root level administration, you would be better off
- Creating a special virtual host for the purpose
- Installing and configuring mod_suexec if you haven't already
- Assigning a special CGI user for the virtual host. - Do not use yourself as this user. You probably have more rights than you want this virtual host to have.
- Making sure this user is defined without a login shell and is used only to run scripts for this virtual host. There are people out there who operate bots that scan the internet for IP addresses with open ports and hit servers with brute force password attacks. Disabling the login account reduces the risk that one of these will work.
- Setting file permissions on the virtual hosts document root and below so that only that CGI user can read and write files to the virtual host.
- Giving that CGI user the most limited permissions possible in the sudoers file. And DO NOT TURN OFF password permissions.
- Prompting for the password in real time. NEVER HARD CODE a password with root privileges in a script!
- Allowing access to the virtual host only through https (passwords entered via http are sent clear text to the server opening you up to a man in the middle attack)
- Limiting human users who have access to the virtual host to the smallest possible set of users. Consider using mod_pam to handle user authorization. This would allow you to closely align the OS's user account permissions with the sudo-enabled virtual host. It would also give you more authentication options than the standard Apache user authorization system
- Turning off symbolic links. If symbolic links are on someone can get access to a prohibited file merely by depositing a file in an accessible directory and linking to the prohibited directory. Instead copy the root level commands you need to a privileged directory that is only accessible by this special CGI user. You'll also have to find any libraries they use and copy them to a special directory as well.
But again, I still think this is a really bad idea. Use ssh, preferrably on an account with PPK only access.
Best, beth
Update: added comments about mod_pam
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.