FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 09-16-2010, 06:21 PM
"Elliott, Andrew"
 
Default Automation of Administrative Tasks on an RHEL Box

I'd say sudo first...

If that doesn't work:

Have a root cron job that runs a script located in /var/www/html
Write a php script that parses the values from the web form into the
script to be run by root...then include an /sbin/service network restart
at the end...

It should work that way...even if the web server is chrooted (as root
can see inside the chroot)...


-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Devarishi Kumar
Mahadeva
Sent: Thursday, September 16, 2010 1:56 PM
To: redhat-list@redhat.com
Subject: Automation of Administrative Tasks on an RHEL Box

Hi All,


Here is a good scenario of Automation of Administrative Tasks (it was
presented
before me in an interview at a Defense Department, Navy):

Design a Web Interface using PHP (we can use Perl also) that has fields
for:

IP Address, Default Gateway, Subnet Mask, etc. and when the values are
submitted
the Linux Server (RHEL) should be able to process the request and change
the
Network information accordingly and restart the Network Services. (It it

noteworthy that such a Web Interface is to be used on an Intranet and is
for
testing purpose only, we really do not intend to invite any security
vulnerabilities by allowing anyone to change the Network Settings.)

The only point here is how to get a (CGI-)Script (PHP or Perl) be able
to
perform the tasks of an Administrator, i.e. execute commands that only
the root
user or a user with some root privileges can issue.

We can easily pass values to a PHP / Perl or even to a Shell Script
program on
the server.... in /var/www/cgi-bin or /var/www/html directories. But how
will it
run with the root privileges?

With regards,

Devarishi Kumar Mahadeva.

________________________________

(UNIX Application Support)
HCL Technologies Ltd.,
Infra Tower, Plot No. A 3, Sector 126,
SEZ Noida (Uttar Pradesh) - India.
Mobile No.: +919999355295

________________________________



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-16-2010, 06:26 PM
"Elliott, Andrew"
 
Default Automation of Administrative Tasks on an RHEL Box

You could also do it with an SUID or GUID....

But that's dependent on a few scenarios...

-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Marti, Robert
Sent: Thursday, September 16, 2010 2:06 PM
To: General Red Hat Linux discussion list
Cc: redhat-list@redhat.com
Subject: Re: Automation of Administrative Tasks on an RHEL Box

sudo would work.



Sent from my iPhone

On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva"
<dk_mahadeva@yahoo.com> wrote:

> Hi All,
>
>
> Here is a good scenario of Automation of Administrative Tasks (it was
presented
> before me in an interview at a Defense Department, Navy):
>
> Design a Web Interface using PHP (we can use Perl also) that has
fields for:
>
> IP Address, Default Gateway, Subnet Mask, etc. and when the values are
submitted
> the Linux Server (RHEL) should be able to process the request and
change the
> Network information accordingly and restart the Network Services. (It
it
> noteworthy that such a Web Interface is to be used on an Intranet and
is for
> testing purpose only, we really do not intend to invite any security
> vulnerabilities by allowing anyone to change the Network Settings.)
>
> The only point here is how to get a (CGI-)Script (PHP or Perl) be able
to
> perform the tasks of an Administrator, i.e. execute commands that only
the root
> user or a user with some root privileges can issue.
>
> We can easily pass values to a PHP / Perl or even to a Shell Script
program on
> the server.... in /var/www/cgi-bin or /var/www/html directories. But
how will it
> run with the root privileges?
>
> With regards,
>
> Devarishi Kumar Mahadeva.
>
> ________________________________
>
> (UNIX Application Support)
> HCL Technologies Ltd.,
> Infra Tower, Plot No. A 3, Sector 126,
> SEZ Noida (Uttar Pradesh) - India.
> Mobile No.: +919999355295
>
> ________________________________
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-16-2010, 06:27 PM
Sanjay Chakraborty
 
Default Automation of Administrative Tasks on an RHEL Box

> sudo would work.
true.

Beside sudo, RHEL 5 works well with ACL ( it is part of default
setting in filesytem level in super block). Add user or group in ACL
(access control list) and the user can do the thing.
See man page of setfacl/getfacl

On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> sudo would work.
>
>
>
> Sent from my iPhone
>
> On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva" <dk_mahadeva@yahoo.com> wrote:
>
>> Hi All,
>>
>>
>> Here is a good scenario of *Automation of Administrative Tasks (it was presented
>> before me in an interview at a Defense Department, Navy):
>>
>> Design a Web Interface using PHP (we can use Perl also) *that has fields for:
>>
>> IP Address, Default Gateway, Subnet Mask, etc. and when the values are submitted
>> the Linux Server (RHEL) should be able to process the request and change the
>> Network information accordingly and restart the Network Services. (It it
>> noteworthy that such a Web Interface is to be used on an Intranet and is for
>> testing purpose only, we really do not intend to invite any security
>> vulnerabilities by allowing anyone to change the Network Settings.)
>>
>> The only point here is how to get a (CGI-)Script (PHP or Perl) be able to
>> perform the tasks of an Administrator, i.e. execute commands that only the root
>> user or a user with some root privileges can issue.
>>
>> We can easily pass values to a PHP / Perl or even to a Shell Script program on
>> the server.... in /var/www/cgi-bin or /var/www/html directories. But how will it
>> run with the root privileges?
>>
>> With regards,
>>
>> Devarishi Kumar Mahadeva.
>>
>> ________________________________
>>
>> (UNIX Application Support)
>> HCL Technologies Ltd.,
>> Infra Tower, Plot No. A 3, Sector 126,
>> SEZ Noida (Uttar Pradesh) - India.
>> Mobile No.: +919999355295
>>
>> ________________________________
>>
>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



--
Regards.
Sanjay Chakraborty

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-16-2010, 06:30 PM
"Elliott, Andrew"
 
Default Automation of Administrative Tasks on an RHEL Box

It would, but only if the sudoers file has been configured to give the apache (or www user account) access to run scripts as root...

I'm pretty sure that nobody puts their apache user in the sudoers file...

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Sanjay Chakraborty
Sent: Thursday, September 16, 2010 2:27 PM
To: General Red Hat Linux discussion list
Subject: Re: Automation of Administrative Tasks on an RHEL Box

> sudo would work.
true.

Beside sudo, RHEL 5 works well with ACL ( it is part of default
setting in filesytem level in super block). Add user or group in ACL
(access control list) and the user can do the thing.
See man page of setfacl/getfacl

On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> sudo would work.
>
>
>
> Sent from my iPhone
>
> On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva" <dk_mahadeva@yahoo.com> wrote:
>
>> Hi All,
>>
>>
>> Here is a good scenario of *Automation of Administrative Tasks (it was presented
>> before me in an interview at a Defense Department, Navy):
>>
>> Design a Web Interface using PHP (we can use Perl also) *that has fields for:
>>
>> IP Address, Default Gateway, Subnet Mask, etc. and when the values are submitted
>> the Linux Server (RHEL) should be able to process the request and change the
>> Network information accordingly and restart the Network Services. (It it
>> noteworthy that such a Web Interface is to be used on an Intranet and is for
>> testing purpose only, we really do not intend to invite any security
>> vulnerabilities by allowing anyone to change the Network Settings.)
>>
>> The only point here is how to get a (CGI-)Script (PHP or Perl) be able to
>> perform the tasks of an Administrator, i.e. execute commands that only the root
>> user or a user with some root privileges can issue.
>>
>> We can easily pass values to a PHP / Perl or even to a Shell Script program on
>> the server.... in /var/www/cgi-bin or /var/www/html directories. But how will it
>> run with the root privileges?
>>
>> With regards,
>>
>> Devarishi Kumar Mahadeva.
>>
>> ________________________________
>>
>> (UNIX Application Support)
>> HCL Technologies Ltd.,
>> Infra Tower, Plot No. A 3, Sector 126,
>> SEZ Noida (Uttar Pradesh) - India.
>> Mobile No.: +919999355295
>>
>> ________________________________
>>
>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



--
Regards.
Sanjay Chakraborty

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-16-2010, 06:36 PM
"Marti, Robert"
 
Default Automation of Administrative Tasks on an RHEL Box

Hey - he's already allowing anonymous changes to his network stack. Might as well go nuts.

Rob Marti

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Elliott, Andrew
> Sent: Thursday, September 16, 2010 1:31 PM
> To: General Red Hat Linux discussion list
> Subject: RE: Automation of Administrative Tasks on an RHEL Box
>
> It would, but only if the sudoers file has been configured to give the apache
> (or www user account) access to run scripts as root...
>
> I'm pretty sure that nobody puts their apache user in the sudoers file...
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Sanjay Chakraborty
> Sent: Thursday, September 16, 2010 2:27 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Automation of Administrative Tasks on an RHEL Box
>
> > sudo would work.
> true.
>
> Beside sudo, RHEL 5 works well with ACL ( it is part of default setting in
> filesytem level in super block). Add user or group in ACL (access control list)
> and the user can do the thing.
> See man page of setfacl/getfacl
>
> On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> > sudo would work.
> >
> >
> >
> > Sent from my iPhone
> >
> > On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva"
> <dk_mahadeva@yahoo.com> wrote:
> >
> >> Hi All,
> >>
> >>
> >> Here is a good scenario of *Automation of Administrative Tasks (it
> >> was presented before me in an interview at a Defense Department,
> Navy):
> >>
> >> Design a Web Interface using PHP (we can use Perl also) *that has fields
> for:
> >>
> >> IP Address, Default Gateway, Subnet Mask, etc. and when the values
> >> are submitted the Linux Server (RHEL) should be able to process the
> >> request and change the Network information accordingly and restart
> >> the Network Services. (It it noteworthy that such a Web Interface is
> >> to be used on an Intranet and is for testing purpose only, we really
> >> do not intend to invite any security vulnerabilities by allowing
> >> anyone to change the Network Settings.)
> >>
> >> The only point here is how to get a (CGI-)Script (PHP or Perl) be
> >> able to perform the tasks of an Administrator, i.e. execute commands
> >> that only the root user or a user with some root privileges can issue.
> >>
> >> We can easily pass values to a PHP / Perl or even to a Shell Script
> >> program on the server.... in /var/www/cgi-bin or /var/www/html
> >> directories. But how will it run with the root privileges?
> >>
> >> With regards,
> >>
> >> Devarishi Kumar Mahadeva.
> >>
> >> ________________________________
> >>
> >> (UNIX Application Support)
> >> HCL Technologies Ltd.,
> >> Infra Tower, Plot No. A 3, Sector 126, SEZ Noida (Uttar Pradesh) -
> >> India.
> >> Mobile No.: +919999355295
> >>
> >> ________________________________
> >>
> >>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request@redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> --
> Regards.
> Sanjay Chakraborty
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-17-2010, 09:06 PM
Mike Hanby
 
Default Automation of Administrative Tasks on an RHEL Box

modify sudoers to allow only specific commands be run as the apache user with NOPASSWD and not a blanket "apache ALL=(ALL) NOPASSWD: ALL"

An alternative method would be to use a tool like Puppet or CFEngine to make the changes, and if they absolutely have to have a web interface, write a web interface that will allow you to make those specific changes to the related puppet/cfengine files. Those tools would then push out the changes.

Mike
-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Marti, Robert
Sent: Thursday, September 16, 2010 1:37 PM
To: 'General Red Hat Linux discussion list'
Subject: RE: Automation of Administrative Tasks on an RHEL Box

Hey - he's already allowing anonymous changes to his network stack. Might as well go nuts.

Rob Marti

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Elliott, Andrew
> Sent: Thursday, September 16, 2010 1:31 PM
> To: General Red Hat Linux discussion list
> Subject: RE: Automation of Administrative Tasks on an RHEL Box
>
> It would, but only if the sudoers file has been configured to give the apache
> (or www user account) access to run scripts as root...
>
> I'm pretty sure that nobody puts their apache user in the sudoers file...
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Sanjay Chakraborty
> Sent: Thursday, September 16, 2010 2:27 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Automation of Administrative Tasks on an RHEL Box
>
> > sudo would work.
> true.
>
> Beside sudo, RHEL 5 works well with ACL ( it is part of default setting in
> filesytem level in super block). Add user or group in ACL (access control list)
> and the user can do the thing.
> See man page of setfacl/getfacl
>
> On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> > sudo would work.
> >
> >
> >
> > Sent from my iPhone
> >
> > On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva"
> <dk_mahadeva@yahoo.com> wrote:
> >
> >> Hi All,
> >>
> >>
> >> Here is a good scenario of *Automation of Administrative Tasks (it
> >> was presented before me in an interview at a Defense Department,
> Navy):
> >>
> >> Design a Web Interface using PHP (we can use Perl also) *that has fields
> for:
> >>
> >> IP Address, Default Gateway, Subnet Mask, etc. and when the values
> >> are submitted the Linux Server (RHEL) should be able to process the
> >> request and change the Network information accordingly and restart
> >> the Network Services. (It it noteworthy that such a Web Interface is
> >> to be used on an Intranet and is for testing purpose only, we really
> >> do not intend to invite any security vulnerabilities by allowing
> >> anyone to change the Network Settings.)
> >>
> >> The only point here is how to get a (CGI-)Script (PHP or Perl) be
> >> able to perform the tasks of an Administrator, i.e. execute commands
> >> that only the root user or a user with some root privileges can issue.
> >>
> >> We can easily pass values to a PHP / Perl or even to a Shell Script
> >> program on the server.... in /var/www/cgi-bin or /var/www/html
> >> directories. But how will it run with the root privileges?
> >>
> >> With regards,
> >>
> >> Devarishi Kumar Mahadeva.
> >>
> >> ________________________________
> >>
> >> (UNIX Application Support)
> >> HCL Technologies Ltd.,
> >> Infra Tower, Plot No. A 3, Sector 126, SEZ Noida (Uttar Pradesh) -
> >> India.
> >> Mobile No.: +919999355295
> >>
> >> ________________________________
> >>
> >>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request@redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> --
> Regards.
> Sanjay Chakraborty
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 03:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org