[TriLUG] Re: [php-list] Executing admin commands in PHP

Mark mark_weinstock at yahoo.com
Wed Jul 9 14:44:13 EDT 2003 

What you might want to do is all the prep work via the web page, but
then send an email to a person who needs to kick off a process on the
server to "include" the appropriate date into the conf files.

So you might have a set of *.conf.tmp files that get created by the
web site, and then a shell script or batch process that reads these
files and updates the actual conf files with their contents.

Only an "admin" would be able to run the shell script.

or is that a truly BAD idea?

--- Joshua Gitlin <josh at glowfilms.com> wrote:
> Hey guys,
> 
> A client of mine wants me to develop and host a website that will
> have 
> multiple domains, and he wants to be able to add domains at a later
> 
> date... so basically I need to build a PHP Application which can
> add a 
> VirtualHost directive to a special apache configuration file, add
> an 
> entry to /etc/named.conf, create a file to /var/named/newhost.hosts
> and 
> fill it with the DNS info, and then reload apache and Bind. For
> many of 
> these things, I can create "special" configuration files which the 
> webserver has permissions to modify, and then include these special
> 
> files in my normal config files. (I.E. in httpd.conf, Include 
> ~client/extrahosts.conf and chown apache
> ~client/extrahosts.conf)... if 
> I do that, the Webserver will have permission to *configure* the
> new 
> domains but not restart the servers... here are my questions:
> 
> 1. Is this a really, really, really bad idea? Because it sounds to
> me 
> like giving the webserver access to anything besides webpages could
> be 
> the making of a security flaw. (And if it is, I'll figure out a
> more 
> secure way to do this, for sure!)
> 
> 2. How can I implement this? Is there a way in PHP to setuid, so I
> can 
> call `/etc/ini.d/httpd reload` and `/etc/init.d/named reload`? Do I
> 
> have to run two apache servers, one running as root? Can I add
> apache 
> to the sudoers file, granting it access to those tow commands?
> 
> 3. Will calling `/etc/init.d/httpd reload` from within httpd cause 
> nasty things™ to happen?
> 
> 4. Any other suggestions on how to do this? Is there a way to set
> up a 
> generic apache host that will "decide" (via PHP or whatever) which 
> documents to server without modifying config files?
> 
> Thanks guys!
> 
> Joshua Gitlin
> Lead Web Designer
> Glow Films, Inc.
> http://www.glowfilms.com/


=====
Mark Weinstock
mark_weinstock at yahoo.com
***************************************
You can't demand something as a "right" unless you are willing to fight to death to defend everyone else's right to the same thing.
***************************************

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

More information about the TriLUG mailing list