I am looking for a way to securely execute a shell script with sudo through a web interface. Security is the main concern here. I don’t want to provide my PHP file to access the sudo fully. What will be the best way to accomplish this?
-
Please add more details, your question is not clear.Kaushal Kumar– Kaushal Kumar2020-07-23 20:09:54 +00:00Commented Jul 23, 2020 at 20:09
-
Give your web server user sudo access to only run a single command, and only as a specific user.that other guy– that other guy2020-07-23 22:26:40 +00:00Commented Jul 23, 2020 at 22:26
-
@thatotherguy, Could you please elaborate more, how can I give the access for single commandVipin– Vipin2020-07-24 18:02:09 +00:00Commented Jul 24, 2020 at 18:02
Add a comment
|
1 Answer
The best solution would be to have your php file execute a bash script that executes the sudo commands, as it's not recommended granting the "web-server user" root/admin access.
With a bash file you can control what is executed while being sure it cannot be changed easily and even pass variables if needed I.E perform different sudo commands depending on the variable passed.
2 Comments
Vipin
Thanks for answer, I am trying it with a bash script only, but my bash script requires some sudo permission to execute properly. I can run that one with sudo permission easily but I am main concerned about the security. Could you please elaborate more to run this bash script with sudo permission through a web interface without compromising the code and that need to be secured too.
LUX
@Vipin executing a shell command through web does not comprise code. you would send the literal shell command to execute the file as if you were on the console. Since this is done in the background where the source code would only be visible server-side an end user cannot modify this command unless you would make that a dynamic variable which i would not recommend at all! my best solution would be to create 2 files if you really need sudo permission to execute. 1 that the server executes which contains instructions to execute the other file with admin permissions.