3

For a new project, I have to write a webinterface, which has the capability of modifying a configuration file. The system this will run on is a standard debian installation with apache and php5. The only idea I came up with so far, is to write small c programms, setting the setuid bit to root and supplying the string to be inserted in the config file as a parameter. However I really have a bad feeling about this, since I would rather avoid any setuid programms in my system, for security reasons. Unfortunatelly, the programm to witch the config file belongs refuses to start, if the config file hasn't exclusive root permissions.

How do projects like webmin adress this issue? I would really appreciate some best-practice tipps, of how to implement this.

Thanks in advance

skaffman
  • 398,947
  • 96
  • 818
  • 769
ftiaronsem
  • 1,524
  • 4
  • 19
  • 32
  • What specific configuration file are you referring to? – user400850 Aug 01 '10 at 10:47
  • in particular the .authorized key file in the users home directory. I want a user to be able paste his public key on the web interface in order for him to be able to use ssh. Unfortunatelly the .ssh/authorized key file needs to have 600 permissions, with the user owning it. :-( – ftiaronsem Aug 01 '10 at 11:34

1 Answers1

2

You don't need the Web server to write this file at all. In fact, that just seems like a very bad idea altogether. I'm assuming that this is an Intranet-only website? IF it were me I'd simply store the public key in a database and later have a cron job script come through and validate the certificate and then insert it. Sure, the script has to run as root (stick it in the root's crontab) but you don't have to lose sleep about your webserver writing to files with root permissions. :)

Bretticus
  • 896
  • 6
  • 11
  • thanks, it is ideed an intranet web-site^^. The idea with the database sounds good, i am going to try that out. – ftiaronsem Aug 08 '10 at 08:11
  • You can even go as far as having python do the key-gen, it would appear. See http://stackoverflow.com/questions/2466401/how-to-generate-ssh-key-pairs-with-python – Bretticus Aug 10 '10 at 18:29