We need some scripts to generate config files for network services such as DHCP, DNS and Network based on user input. These require root access, but I don't know how to run the PHP application as root. It's run through a public web interface.
+2
A:
Instead of giving the PHP script root access, make the configuration files writable by the web user.
Sjoerd
2010-07-07 14:13:03
+5
A:
Awww... granting root rights to PHP or the web server is never a good practice, no matter how secure your setup.
How about having PHP write the changed configuration files into a temporary directory:
/home/system/transfer/apache/httpd.conf
/home/system/transfer/system/dhcp.conf
/home/system/transfer/mysql/my.ini
and a sudo cron job running a shell script fetching them from there, and copying them to the proper location (also taking care of restarting services and all that), on a five-minute basis?
It would be a bit safer than having the Web/PHP user write the configuration files directly, plus it would be relatively easy to set up a versioning process that allows to roll back a configuration file to an earlier version.
Pekka
2010-07-07 14:13:38
He can make a link in it`s original location and move config files to temp-dir. In this case he don't need to use cron.
GOsha
2010-07-07 14:30:12
Assuming you use Linux: Instead of running a cron job I'd use incron to watch the directory and don't let PHP write the actual config files but just the data from user input. The incron job then uses that data to create the actual config files.
Florian Diesch
2010-07-07 14:52:13
@Florian yup, that's how I meant it. @GOsha yes, but this would still not solve the issues of stopping/restarting services, managing versions, and such. Also, it would be a pain to migrate to another machine. Leaving the config files in place and having a cron job do the administrative work sounds more appealing to me.
Pekka
2010-07-07 18:01:26