0

I need to be able to provide a button or link that will run a cgi script that in turn creates/modifies files in the /etc/nginx directory sites-available. I can think of two ways to do that:

  1. Give the script root permissions somehow to make the file mods.
  2. Change the /etc/nginx/sites-available directory group to www-data and make it writable by group.

The user will not be able to enter any text. The script has everything it needs from the server variables.

What is the most secure way to run such a script? Are there any options besides the two suggested? Are there any security pitfalls to avoid?

Ruslan Osmanov
  • 20,486
  • 7
  • 46
  • 60
Scott
  • 1,333
  • 1
  • 14
  • 19
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Jan 08 '17 at 20:07

1 Answers1

0

The access to specific HTTP requests can be restricted in many ways. I think "the best" way is the way that fits your needs/preferences best. I will list only the options I find the most useful.

Web-based Authentication System

With a custom authentication system you can restrict access only for authorized users with sufficient privileges (in terms of this system). For example, requests to /vhost.php could be processed only for the users belonging to "Web Server Admins" group.

Firewall

You can maintain a white list of source IP addresses that are allowed to send requests to the Web server's host, e.g.:

iptables -A INPUT -p tcp --dport 80 -s AllowedIP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

See answers to this question, for instance.

HTTPS

I would recommend configuring HTTPS in order to protect the traffic against interception. Note, the firewall should be adjusted accordingly. For example, you can drop all traffic on port 80, and allow requests on port 443 for specific IP addresses.

Filesystem Permissions

I think it is sufficient to allow the Web server's user read/write permissions for /etc/nginx/sites-available.

Alternatively, you can

1) open permissions to the directory only for for root, 2) create a script executable only for root, and 3) allow execution of the script via "passwordless" sudo only for the Web server's user/group via /etc/sudoers, e.g.:

Cmnd_Alias  WWW_HOST_CONFIG = /path/to/script
%www-data ALL=(ALL) NOPASSWD: WWW_HOST_CONFIG

Note, if you are using a proxy (such as PHP-FPM, or Apache2), you need to give the appropriate permissions for the user of the proxy process. By the way, PHP-FPM allows to set the process user/group via configuration file, e.g.:

[my_project]
listen = /tmp/php-fpm-my_project.sock
listen.mode = 0660
listen.owner = username
listen.group = www
user = username
group = www
Community
  • 1
  • 1
Ruslan Osmanov
  • 20,486
  • 7
  • 46
  • 60
  • Thanks for the thorough response. Since you believe both approaches are equivalently safe (under https, of which i am running), it seems the simpler approach of changing read/write permissions would be preferable. – Scott Jan 12 '17 at 07:49