views:

159

answers:

2

I have some functionality that interfaces with the server's OS in my web application. I've written a bash script and am able to run it from within my app.

However, some functionality of the script requires superuser privileges.

What is the most sane way to run this script securely? It is being passed arguments from a web form, but should only be able to be called by authenticated users that I trust not to haxxor it.

+4  A: 

Whichever way you do this is likely to be very dangerous. Can you perhaps write a local daemon with the required privileges, and use some some of message-bus that produces/consumes events to be processed by this super-user requiring component?

That way, you can carefully validate the contents of the message, and reduce the likelihood of exploitation..

Chaos
+2  A: 

What is the most sane way to run this script securely?

If you really care about security, require the web client to provide a passphrase and use an ssh key. Then run the script under ssh-agent, and for the sensitive parts do ssh root@localhost command.... You probably will want to create ssh keypairs just for this purpose, as typing one's normal SSH passphrase into a web form is not something I would do (who trusts your web form, anyway?).

If you don't want quite this much security, and if you really, really believe that your web form can correctly authenticate its users, without any bugs, you could instead decide to trust the web server to run the commands you need. (I wouldn't.) In this case I would use the /etc/sudoers file to allow the web server to run the commands of interest without providing a password. Then your script should use sudo to run those commands.

Norman Ramsey
I went with the `sudoers` approach - I think it should be secure *enough*. I'm sanitizing all input with regexes and using a common authentication plugin and feel comfortable that this approach should be ok. Thanks :)
nfm