I will wish to develop an interface (Web GUI) to administer a server that require super user rights. I am looking for a method to be able to take administrator rights and go super user commands (on Linux) via Web forms (any language). eg :~$/usr/bin/hostapd /etc/hostapd.conf
I think of this:
- Auth PAM (python CGI).
- Allow www-data user in visudo with nopass, Specify commands, and use PHP proc.
- PAM auth php?
I currently use the second option, but I am providing other website and everything is secured properly and especially that my administration GUI space is completely independent of the user and group www-data.Here is how I do it for the moment:
(I use nginx)
1- user get php web page
2- auth user via web form (php session)
3- if allowed to redirect command interface // Switch $ USER?
But at this point, I also has the other site with the same user and even www-data group. If an attacker took the hand on another site (other than my web GUI), as the user and group are the same he could spend the super user commands might in reality hostapd.
What is the solution to secure all this?
1- create a user site? chroot, etc ...? and allow the user to visudo? what is the good right for the web root folder and files? 2- writing my own server on Port Reviews another (eg sshd with python scapy)
My concern is that I will want to avoid using the www-data user for SU tasks. I lose myself in everything I read, that's why I need your help. thank you.
Aucun commentaire:
Enregistrer un commentaire