...

View Full Version : Possible to set Apache user/group programatically?



brothercake
02-08-2006, 07:39 AM
I'm using PHP's exec() function to call applescript commands, in order to get data from itunes, and generate a browser-based remote interface for it. All well and good, but to make it work it's necessary to set Apache's user/group as follows:


User shortname
Group staff

Obviously suicidal for a public server, but no serious problem for a personal or local server, which is what it's intended for. Still it's not ideal, and I'd rather not have to make that permanent change.

My question is - can I automate this change of user in PHP (or possible using .htaccess directives?) so that users don't have to make that change permanently to their httpd.conf, but only temporarily within the script folder while it's running?

firepages
02-08-2006, 08:54 AM
You can't change user/group in .htaccess, nor as far as I know even in virtual hosts.

The last time I played with anything similar (Plesk script integration) I ended up having another apache instance running on a different port as a priviledged user to accomodate those requests which I suppose is just as daft (thats how Plesk itself works~) though you can restrict access to that version of apache to localhost.

perhpas messing with sudo (if available) may be the right track?

brothercake
02-09-2006, 01:13 PM
perhpas messing with sudo (if available) may be the right track?
How do you mean?

firepages
02-09-2006, 01:57 PM
If you have sudo installed and add apache/PHP to sudoers then they can do things with elevated priviledges, the main point being that you can control exactly what sudoers can and can not do via /etc/sudoers the main issue is authentication so you will probably have to use NOPASSWD

apache hostname = NOPASSWD: /your/script

.... I know very little about sudo so check out http://www.sudo.ws/ for the manual

brothercake
02-09-2006, 03:23 PM
Okay, that's worth looking into, ta.

But my main concern was really doistribution of the script - if I give it to others to use, I want their setup process to be as simple as possible, preferably without requiring any manual edits to httpd.conf

But apart from that, I guess it's quite a security risk, isn't it? If the worst-case happened and someone gained remote access to my (or a user's network) it would effectively give them carte-blanche to do anything that user can do?

firepages
02-09-2006, 03:46 PM
Well if apache is running as a priviledged user then if anyone can access php or perl exec() type functions via a dodgy cgi or other script then thats an issue, how likely that is I can't say but that is the oft-quoted reason to not run apache as root.

Problem is as you say you dont want your users having to play with the apache configuration, the only other thing I can think of is to run a PHP or other script as a daemon (running with appropriate permissions) and poll that via php socket functions etc... which is probably a lot of work :D though there are ready to run php socket-server scripts out there... and loads of perl ones !

brothercake
02-09-2006, 05:07 PM
Well if apache is running as a priviledged user then if anyone can access php or perl exec() type functions via a dodgy cgi or other script then thats an issue, how likely that is I can't say but that is the oft-quoted reason to not run apache as root.
Perhaps, if that does actually happen to you, you've got bigger security problems than that one Mac anyway :)


the only other thing I can think of is to run a PHP or other script as a daemon (running with appropriate permissions) and poll that via php socket functions etc... which is probably a lot of work :D though there are ready to run php socket-server scripts out there... and loads of perl ones !
That could be a way, yeah - I'll look into it.

It might also be possible to write a local applescript that edits the file and whatever other settings changes are necessary .. I wanted to avoid writing applescript as much as possible .. it's like telly-tubby language!

Thanks for your help :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum