[TriLUG] Executing admin commands in PHP

Joshua Gitlin josh at glowfilms.com
Wed Jul 9 11:56:15 EDT 2003


Hey guys,

A client of mine wants me to develop and host a website that will have 
multiple domains, and he wants to be able to add domains at a later 
date... so basically I need to build a PHP Application which can add a 
VirtualHost directive to a special apache configuration file, add an 
entry to /etc/named.conf, create a file to /var/named/newhost.hosts and 
fill it with the DNS info, and then reload apache and Bind. For many of 
these things, I can create "special" configuration files which the 
webserver has permissions to modify, and then include these special 
files in my normal config files. (I.E. in httpd.conf, Include 
~client/extrahosts.conf and chown apache ~client/extrahosts.conf)... if 
I do that, the Webserver will have permission to *configure* the new 
domains but not restart the servers... here are my questions:

1. Is this a really, really, really bad idea? Because it sounds to me 
like giving the webserver access to anything besides webpages could be 
the making of a security flaw. (And if it is, I'll figure out a more 
secure way to do this, for sure!)

2. How can I implement this? Is there a way in PHP to setuid, so I can 
call `/etc/ini.d/httpd reload` and `/etc/init.d/named reload`? Do I 
have to run two apache servers, one running as root? Can I add apache 
to the sudoers file, granting it access to those tow commands?

3. Will calling `/etc/init.d/httpd reload` from within httpd cause 
nasty things™ to happen?

4. Any other suggestions on how to do this? Is there a way to set up a 
generic apache host that will "decide" (via PHP or whatever) which 
documents to server without modifying config files?

Thanks guys!

Joshua Gitlin
Lead Web Designer
Glow Films, Inc.
http://www.glowfilms.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1769 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030709/93de4d37/attachment.bin>


More information about the TriLUG mailing list