Re: Secure Web-Based Administration

Ryan,

You would be best off using webmin, as others have suggested. It is flexible, modular, and extensible. It handles the functions you have mentioned, and many more. It supports multiple roles with differing access levels. It has been widely examined, so it is probably more secure than any home-grown application.

If you're absolutely determined to invent your own wheel, at least review webmin. You should let yourself be inspired by other round things that roll.

If you want to take a different tack, you might try a message-based architecture. Instead of invoking root processes from your web server, have the web server process leave authenticated requests in a queue. Have a root process loop around and review the requests. If they're in the proper predefined format, fulfill the requests.

Above all, remember that user input is the enemy! Sure, you would never type anything harmful...but you have to assume that everyone else will.

Gavin Brennan
Senior Network Engineer
Terrapin Systems, LLC
6116 Executive Blvd
Suite 501
Rockville, MD 20852
301-594-0763 Office
240-674-8117 Cell
http://www.terpsys.com/

-----Original Message-----
From: Ryan [mailto:ryan@vbnet.net]
Sent: Friday, January 17, 2003 10:00 AM
To: focus-linux@securityfocus.com
Subject: Secure Web-Based Administration

I would like to create some web pages/scripts (probably using PHP since I use it for a lot of other things) to assist me in administering my linux machine. What are some ways that I can execute certain administrative commands (such as ifconfig,iwconfig,route,scripts in my /etc/init.d/ directory, etc...) as root? I'm fairly familiar with the different access-control methods available to me to restrict access to these pages. I will definitely be using SSL with a self-signed certificate. I'm just not sure how to get my web server (which doesn't run as root and I want to keep it that way) to execute these commands with superuser privileges. Thanks

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Ryan
ryan@vbnet.net Received on Wed Jan 29 13:56:11 2003