Have a root cron job that runs a script located in /var/www/html
Write a php script that parses the values from the web form into the
script to be run by root...then include an /sbin/service network restart
at the end...
It should work that way...even if the web server is chrooted (as root
can see inside the chroot)...
-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Devarishi Kumar
Mahadeva
Sent: Thursday, September 16, 2010 1:56 PM
To: redhat-list@redhat.com
Subject: Automation of Administrative Tasks on an RHEL Box
Hi All,
Here is a good scenario of Automation of Administrative Tasks (it was
presented
before me in an interview at a Defense Department, Navy):
Design a Web Interface using PHP (we can use Perl also) that has fields
for:
IP Address, Default Gateway, Subnet Mask, etc. and when the values are
submitted
the Linux Server (RHEL) should be able to process the request and change
the
Network information accordingly and restart the Network Services. (It it
noteworthy that such a Web Interface is to be used on an Intranet and is
for
testing purpose only, we really do not intend to invite any security
vulnerabilities by allowing anyone to change the Network Settings.)
The only point here is how to get a (CGI-)Script (PHP or Perl) be able
to
perform the tasks of an Administrator, i.e. execute commands that only
the root
user or a user with some root privileges can issue.
We can easily pass values to a PHP / Perl or even to a Shell Script
program on
the server.... in /var/www/cgi-bin or /var/www/html directories. But how
will it
run with the root privileges?
With regards,
Devarishi Kumar Mahadeva.
________________________________
(UNIX Application Support)
HCL Technologies Ltd.,
Infra Tower, Plot No. A 3, Sector 126,
SEZ Noida (Uttar Pradesh) - India.
Mobile No.: +919999355295
________________________________
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
09-16-2010, 06:26 PM
"Elliott, Andrew"
Automation of Administrative Tasks on an RHEL Box
You could also do it with an SUID or GUID....
But that's dependent on a few scenarios...
-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Marti, Robert
Sent: Thursday, September 16, 2010 2:06 PM
To: General Red Hat Linux discussion list
Cc: redhat-list@redhat.com
Subject: Re: Automation of Administrative Tasks on an RHEL Box
sudo would work.
Sent from my iPhone
On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva"
<dk_mahadeva@yahoo.com> wrote:
> Hi All,
>
>
> Here is a good scenario of Automation of Administrative Tasks (it was
presented
> before me in an interview at a Defense Department, Navy):
>
> Design a Web Interface using PHP (we can use Perl also) that has
fields for:
>
> IP Address, Default Gateway, Subnet Mask, etc. and when the values are
submitted
> the Linux Server (RHEL) should be able to process the request and
change the
> Network information accordingly and restart the Network Services. (It
it
> noteworthy that such a Web Interface is to be used on an Intranet and
is for
> testing purpose only, we really do not intend to invite any security
> vulnerabilities by allowing anyone to change the Network Settings.)
>
> The only point here is how to get a (CGI-)Script (PHP or Perl) be able
to
> perform the tasks of an Administrator, i.e. execute commands that only
the root
> user or a user with some root privileges can issue.
>
> We can easily pass values to a PHP / Perl or even to a Shell Script
program on
> the server.... in /var/www/cgi-bin or /var/www/html directories. But
how will it
> run with the root privileges?
>
> With regards,
>
> Devarishi Kumar Mahadeva.
>
> ________________________________
>
> (UNIX Application Support)
> HCL Technologies Ltd.,
> Infra Tower, Plot No. A 3, Sector 126,
> SEZ Noida (Uttar Pradesh) - India.
> Mobile No.: +919999355295
>
> ________________________________
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
09-16-2010, 06:27 PM
Sanjay Chakraborty
Automation of Administrative Tasks on an RHEL Box
> sudo would work.
true.
Beside sudo, RHEL 5 works well with ACL ( it is part of default
setting in filesytem level in super block). Add user or group in ACL
(access control list) and the user can do the thing.
See man page of setfacl/getfacl
On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> sudo would work.
>
>
>
> Sent from my iPhone
>
> On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva" <dk_mahadeva@yahoo.com> wrote:
>
>> Hi All,
>>
>>
>> Here is a good scenario of *Automation of Administrative Tasks (it was presented
>> before me in an interview at a Defense Department, Navy):
>>
>> Design a Web Interface using PHP (we can use Perl also) *that has fields for:
>>
>> IP Address, Default Gateway, Subnet Mask, etc. and when the values are submitted
>> the Linux Server (RHEL) should be able to process the request and change the
>> Network information accordingly and restart the Network Services. (It it
>> noteworthy that such a Web Interface is to be used on an Intranet and is for
>> testing purpose only, we really do not intend to invite any security
>> vulnerabilities by allowing anyone to change the Network Settings.)
>>
>> The only point here is how to get a (CGI-)Script (PHP or Perl) be able to
>> perform the tasks of an Administrator, i.e. execute commands that only the root
>> user or a user with some root privileges can issue.
>>
>> We can easily pass values to a PHP / Perl or even to a Shell Script program on
>> the server.... in /var/www/cgi-bin or /var/www/html directories. But how will it
>> run with the root privileges?
>>
>> With regards,
>>
>> Devarishi Kumar Mahadeva.
>>
>> ________________________________
>>
>> (UNIX Application Support)
>> HCL Technologies Ltd.,
>> Infra Tower, Plot No. A 3, Sector 126,
>> SEZ Noida (Uttar Pradesh) - India.
>> Mobile No.: +919999355295
>>
>> ________________________________
>>
>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
Regards.
Sanjay Chakraborty
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
09-16-2010, 06:30 PM
"Elliott, Andrew"
Automation of Administrative Tasks on an RHEL Box
It would, but only if the sudoers file has been configured to give the apache (or www user account) access to run scripts as root...
I'm pretty sure that nobody puts their apache user in the sudoers file...
-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Sanjay Chakraborty
Sent: Thursday, September 16, 2010 2:27 PM
To: General Red Hat Linux discussion list
Subject: Re: Automation of Administrative Tasks on an RHEL Box
> sudo would work.
true.
Beside sudo, RHEL 5 works well with ACL ( it is part of default
setting in filesytem level in super block). Add user or group in ACL
(access control list) and the user can do the thing.
See man page of setfacl/getfacl
On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> sudo would work.
>
>
>
> Sent from my iPhone
>
> On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva" <dk_mahadeva@yahoo.com> wrote:
>
>> Hi All,
>>
>>
>> Here is a good scenario of *Automation of Administrative Tasks (it was presented
>> before me in an interview at a Defense Department, Navy):
>>
>> Design a Web Interface using PHP (we can use Perl also) *that has fields for:
>>
>> IP Address, Default Gateway, Subnet Mask, etc. and when the values are submitted
>> the Linux Server (RHEL) should be able to process the request and change the
>> Network information accordingly and restart the Network Services. (It it
>> noteworthy that such a Web Interface is to be used on an Intranet and is for
>> testing purpose only, we really do not intend to invite any security
>> vulnerabilities by allowing anyone to change the Network Settings.)
>>
>> The only point here is how to get a (CGI-)Script (PHP or Perl) be able to
>> perform the tasks of an Administrator, i.e. execute commands that only the root
>> user or a user with some root privileges can issue.
>>
>> We can easily pass values to a PHP / Perl or even to a Shell Script program on
>> the server.... in /var/www/cgi-bin or /var/www/html directories. But how will it
>> run with the root privileges?
>>
>> With regards,
>>
>> Devarishi Kumar Mahadeva.
>>
>> ________________________________
>>
>> (UNIX Application Support)
>> HCL Technologies Ltd.,
>> Infra Tower, Plot No. A 3, Sector 126,
>> SEZ Noida (Uttar Pradesh) - India.
>> Mobile No.: +919999355295
>>
>> ________________________________
>>
>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
Regards.
Sanjay Chakraborty
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
09-16-2010, 06:36 PM
"Marti, Robert"
Automation of Administrative Tasks on an RHEL Box
Hey - he's already allowing anonymous changes to his network stack. Might as well go nuts.
Rob Marti
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Elliott, Andrew
> Sent: Thursday, September 16, 2010 1:31 PM
> To: General Red Hat Linux discussion list
> Subject: RE: Automation of Administrative Tasks on an RHEL Box
>
> It would, but only if the sudoers file has been configured to give the apache
> (or www user account) access to run scripts as root...
>
> I'm pretty sure that nobody puts their apache user in the sudoers file...
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Sanjay Chakraborty
> Sent: Thursday, September 16, 2010 2:27 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Automation of Administrative Tasks on an RHEL Box
>
> > sudo would work.
> true.
>
> Beside sudo, RHEL 5 works well with ACL ( it is part of default setting in
> filesytem level in super block). Add user or group in ACL (access control list)
> and the user can do the thing.
> See man page of setfacl/getfacl
>
> On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> > sudo would work.
> >
> >
> >
> > Sent from my iPhone
> >
> > On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva"
> <dk_mahadeva@yahoo.com> wrote:
> >
> >> Hi All,
> >>
> >>
> >> Here is a good scenario of *Automation of Administrative Tasks (it
> >> was presented before me in an interview at a Defense Department,
> Navy):
> >>
> >> Design a Web Interface using PHP (we can use Perl also) *that has fields
> for:
> >>
> >> IP Address, Default Gateway, Subnet Mask, etc. and when the values
> >> are submitted the Linux Server (RHEL) should be able to process the
> >> request and change the Network information accordingly and restart
> >> the Network Services. (It it noteworthy that such a Web Interface is
> >> to be used on an Intranet and is for testing purpose only, we really
> >> do not intend to invite any security vulnerabilities by allowing
> >> anyone to change the Network Settings.)
> >>
> >> The only point here is how to get a (CGI-)Script (PHP or Perl) be
> >> able to perform the tasks of an Administrator, i.e. execute commands
> >> that only the root user or a user with some root privileges can issue.
> >>
> >> We can easily pass values to a PHP / Perl or even to a Shell Script
> >> program on the server.... in /var/www/cgi-bin or /var/www/html
> >> directories. But how will it run with the root privileges?
> >>
> >> With regards,
> >>
> >> Devarishi Kumar Mahadeva.
> >>
> >> ________________________________
> >>
> >> (UNIX Application Support)
> >> HCL Technologies Ltd.,
> >> Infra Tower, Plot No. A 3, Sector 126, SEZ Noida (Uttar Pradesh) -
> >> India.
> >> Mobile No.: +919999355295
> >>
> >> ________________________________
> >>
> >>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request@redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> --
> Regards.
> Sanjay Chakraborty
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
09-17-2010, 09:06 PM
Mike Hanby
Automation of Administrative Tasks on an RHEL Box
modify sudoers to allow only specific commands be run as the apache user with NOPASSWD and not a blanket "apache ALL=(ALL) NOPASSWD: ALL"
An alternative method would be to use a tool like Puppet or CFEngine to make the changes, and if they absolutely have to have a web interface, write a web interface that will allow you to make those specific changes to the related puppet/cfengine files. Those tools would then push out the changes.
Mike
-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Marti, Robert
Sent: Thursday, September 16, 2010 1:37 PM
To: 'General Red Hat Linux discussion list'
Subject: RE: Automation of Administrative Tasks on an RHEL Box
Hey - he's already allowing anonymous changes to his network stack. Might as well go nuts.
Rob Marti
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Elliott, Andrew
> Sent: Thursday, September 16, 2010 1:31 PM
> To: General Red Hat Linux discussion list
> Subject: RE: Automation of Administrative Tasks on an RHEL Box
>
> It would, but only if the sudoers file has been configured to give the apache
> (or www user account) access to run scripts as root...
>
> I'm pretty sure that nobody puts their apache user in the sudoers file...
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Sanjay Chakraborty
> Sent: Thursday, September 16, 2010 2:27 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Automation of Administrative Tasks on an RHEL Box
>
> > sudo would work.
> true.
>
> Beside sudo, RHEL 5 works well with ACL ( it is part of default setting in
> filesytem level in super block). Add user or group in ACL (access control list)
> and the user can do the thing.
> See man page of setfacl/getfacl
>
> On Thu, Sep 16, 2010 at 2:06 PM, Marti, Robert <RJM002@shsu.edu> wrote:
> > sudo would work.
> >
> >
> >
> > Sent from my iPhone
> >
> > On Sep 16, 2010, at 1:03 PM, "Devarishi Kumar Mahadeva"
> <dk_mahadeva@yahoo.com> wrote:
> >
> >> Hi All,
> >>
> >>
> >> Here is a good scenario of *Automation of Administrative Tasks (it
> >> was presented before me in an interview at a Defense Department,
> Navy):
> >>
> >> Design a Web Interface using PHP (we can use Perl also) *that has fields
> for:
> >>
> >> IP Address, Default Gateway, Subnet Mask, etc. and when the values
> >> are submitted the Linux Server (RHEL) should be able to process the
> >> request and change the Network information accordingly and restart
> >> the Network Services. (It it noteworthy that such a Web Interface is
> >> to be used on an Intranet and is for testing purpose only, we really
> >> do not intend to invite any security vulnerabilities by allowing
> >> anyone to change the Network Settings.)
> >>
> >> The only point here is how to get a (CGI-)Script (PHP or Perl) be
> >> able to perform the tasks of an Administrator, i.e. execute commands
> >> that only the root user or a user with some root privileges can issue.
> >>
> >> We can easily pass values to a PHP / Perl or even to a Shell Script
> >> program on the server.... in /var/www/cgi-bin or /var/www/html
> >> directories. But how will it run with the root privileges?
> >>
> >> With regards,
> >>
> >> Devarishi Kumar Mahadeva.
> >>
> >> ________________________________
> >>
> >> (UNIX Application Support)
> >> HCL Technologies Ltd.,
> >> Infra Tower, Plot No. A 3, Sector 126, SEZ Noida (Uttar Pradesh) -
> >> India.
> >> Mobile No.: +919999355295
> >>
> >> ________________________________
> >>
> >>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request@redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> --
> Regards.
> Sanjay Chakraborty
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
Automation of Administrative Tasks on an RHEL Box
