Web Development Thread, shell_exec in Coding and Web Development; I'm playing about with squid at the minute (on a Ubuntu server OS) and am very pleased with what it ...
4th February 2009, 10:13 AM #1
I'm playing about with squid at the minute (on a Ubuntu server OS) and am very pleased with what it can do. It seems the last thing I want it to do is the one I am having most difficulty with.
I want to be able to restart squid from a web page (which is served from the same server).
This doesn't work though because of permissions. Can anybody help me achieve this please?
IDG Tech News
4th February 2009, 10:20 AM #2
- Rep Power
4th February 2009, 10:41 AM #3
I could use webmin but I want this to work from a custom web script that I have designed.
4th February 2009, 11:59 AM #4
Is this PHP? You'll have to relax some of the safety in php.ini to shell out in the first place. However, even then your shell command will run as a non-privileged user, so you won't be able to restart squid from there.
- run apache as root (baaad)
- add apache to the root group (baaad)
- [ame=http://en.wikipedia.org/wiki/Setuid]setuid[/ame] /etc/init.d/squid to run as root (baaad)
I think you see the pattern. You're gambling with remote code exploits here, which is why apache isn't set up like this in the first place. But if you want to go ahead, choose one of the above (I'd go with setuid myself, it's the most minimal solution.)
Last edited by powdarrmonkey; 4th February 2009 at 12:07 PM.
4th February 2009, 01:58 PM #5
The server is not open to the outside world and this script will be hidden behind an ldap authentication anyways.
4th February 2009, 02:24 PM #6
Originally Posted by powdarrmonkey
I have a slightly safer idea. If you give your php user sudo access to /etc/init.d/squid. then even if someone got in, the only think they'd be able to do is stop and start squid.
4th February 2009, 02:27 PM #7
Originally Posted by Geoff
4th February 2009, 02:34 PM #8
As I recall, apache runs as www-data on ubuntu. Thus if you alter /etc/sudoers like so:
then if you 'su' to www-data, you should be able to stop/start squid.
www-data = NOPASSWD: /etc/init.d/squid
For the PHP bit, your on your own.
4th February 2009, 02:41 PM #9
Just put exactly that line in the file and now I get
Originally Posted by Geoff
Can't get back into file to change it back
>>> sudoers file: syntax error, line 16 <<<
sudo: parse error in /etc/sudoers near line 16
4th February 2009, 02:47 PM #10
I think you missed out the ALL?
ALL = NOPASSWD:....
4th February 2009, 03:03 PM #11
'ALL' means all users, probably not what you intended.
4th February 2009, 03:08 PM #12
What I have is
I have logged in as ww-data and tried restarting the squid server - apparently it went through successfully but it doesn't update my ACL's until I restart the server as root.
%www-data ALL=NOPASSWD: /etc/init.d/squid3
Last edited by Hightower; 4th February 2009 at 03:11 PM.
4th February 2009, 03:29 PM #13
Ok, I didn't know you wanted to do that. Allow www-data to run the following:
squid -k reconfigure
4th February 2009, 03:54 PM #14
Just stick that in the same line as my code?
4th February 2009, 04:57 PM #15
I tried this line
but it didn't work (broke the sudoers file again).
%www-data ALL=NOPASSWD: squid3 -k reconfigure
What should I be entering?
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)