Author Topic: apache help  (Read 1382 times)

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« on: 3 November 2002, 05:16 »
I am wanting to make a script (which is password protected of course) that will use the useradd command. Of course I need to be root to do this, but it's just stupid to run a webserver as root. Anyone know of a smart way i could go about doing this?

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
apache help
« Reply #1 on: 3 November 2002, 05:46 »
Not sure what you are getting at. Do you mean you want to write a CGI program so you can add a user through a web based interface? If so check out http://www.webmin.com/ and even though you start the web server (Apache) as root it spawn supprocesses that are run under the user "apache" with very limited capability. So you *really* aren't running the web server as root. If someone were to exploit a hole they would only get the limited privelages of the "apache" user.
Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« Reply #2 on: 3 November 2002, 06:13 »
quote:
Originally posted by void main:
Not sure what you are getting at. Do you mean you want to write a CGI program so you can add a user through a web based interface? If so check out http://www.webmin.com/ and even though you start the web server (Apache) as root it spawn supprocesses that are run under the user "apache" with very limited capability. So you *really* aren't running the web server as root. If someone were to exploit a hole they would only get the limited privelages of the "apache" user.


I have webmin... that's not what i'm looking for though. i want to make my own script that will execute useradd as root. i hear suexec may work but i dont know anything about it

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
apache help
« Reply #3 on: 3 November 2002, 06:28 »
quote:
Originally posted by Stryker:


I have webmin... that's not what i'm looking for though. i want to make my own script that will execute useradd as root. i hear suexec may work but i dont know anything about it



I haven't used suexec and I don't believe you can do root privelaged things, only privelages of other users. However, I have done similar things using a "system()" call in PHP to "sudo".

[ November 02, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« Reply #4 on: 3 November 2002, 06:31 »
quote:
Originally posted by void main:


suexec is exactly what you would want to use under Apache. I believe it is much like "sudo" as far as how it works and it's configuration. I assume you'll want to use htpaccess/htpasswd to password protect the page, if so you might want to do the authentication over https. However, I have done similar things using a "system()" call in PHP to "sudo".

[ November 02, 2002: Message edited by: void main ]



I have htpasswd and a .htaccess to protect the page. But I have no idea how to use sudo or suexec... have any good links?

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
apache help
« Reply #5 on: 3 November 2002, 06:38 »
Can it be in PHP or Perl?  Which do you prefer? I can whip up an example in either and give you an example of the /etc/sudoers file that will allow this.
Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« Reply #6 on: 3 November 2002, 06:41 »
quote:
Originally posted by void main:
Can it be in PHP or Perl?  Which do you prefer? I can whip up an example in either and give you an example of the /etc/sudoers file that will allow this.


Actually this page is running through a bash script... but if anything else it'd be perl

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
apache help
« Reply #7 on: 3 November 2002, 06:55 »
Well I could do it in bash as well. No biggy.
Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« Reply #8 on: 3 November 2002, 06:56 »
well then bash it is. I got apache to execute useradd... put i'm working on the encrypted password for the -p parameter now...

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
apache help
« Reply #9 on: 3 November 2002, 07:03 »
quote:
Originally posted by Stryker:
well then bash it is. I got apache to execute useradd... put i'm working on the encrypted password for the -p parameter now...


Did you do it with suexec?
Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« Reply #10 on: 3 November 2002, 07:04 »
quote:
Originally posted by void main:


Did you do it with suexec?



nope, it's sudo... i looked at the /etc/sudoers and it explained what i needed.

You have any idea how i can go about encypting the password so that it will work with useradd -p?

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
apache help
« Reply #11 on: 3 November 2002, 07:17 »
Why not just add the user with "adduser" and set the password with "passwd"? Something like:

echo "$password" | sudo /usr/bin/passwd --stdin $username

[ November 02, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« Reply #12 on: 3 November 2002, 07:54 »
quote:
Originally posted by Ex Eleven / b0b 2.1:
Id make a PHP script if i was doing that!


i'm on a perl page now and am having problems... this is what i have.

system("echo","$form{'pass'}","|","sudo","passwd","--stdin","$form{'user'}");

nevermind... i got it now... sorry

[ November 02, 2002: Message edited by: Stryker ]


voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
apache help
« Reply #13 on: 3 November 2002, 07:57 »
quote:
Originally posted by Stryker:
system("echo","$form{'pass'}","|","sudo","passwd","--stdin","$form{'user'}");



You should just be able to do:

system("echo \"$form{'pass'}\" | sudo passwd --stdin   $form{'user'}");

[ November 02, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
apache help
« Reply #14 on: 3 November 2002, 08:05 »
quote:
Originally posted by void main:


You should just be able to do:

system("echo \"$form{'pass'}\" | sudo passwd --stdin   $form{'user'}");

[ November 02, 2002: Message edited by: void main ]



yeah... i figured that out right after posting.

In the past i've had commands not work that way though, so i didn't think of trying. well, thanks for the help.