On 7/26/07, Michael Pobega <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote: > > Hi List, > > > > I am creating a PHP small program that will interact with MySQL and > > will have the policies for the people in my office, i.e.: > > Who can or can not access MSN messenger > > Who can or can not access WWW > > > > etc. once this is stored, a shell script with the iptables rules > > should be created, and then run. > > > > I do not want to run it with Apache, so I was thinking on creating a > > CRON job that will run it as root once every n minutes, but the issue > > i see here, is that if somebody "break" my Apache security he will be > > able to create any script he likes and my CRON will run it, killing my > > server security. > > > > any better ideas about how can I achieve my goal? > > > > thanks in advance. > > > > best regards. > > > > Make a user specifically for this job that can access /sbin/iptables > through sudo, and make the script do just that, access iptables using > sudo and this new account. > > Then make sure the bash script is owned by the new accounts, and root's > group, and chmod the script to r-xrwxr-- by doing: > > chmod u+rx g+rwx o+r u-w o-wx /path/to/script > > This *should* achieve what you are trying to do...It's a bit messy but > in the end it will pay off, the only way I can see this being abusable > is if someone gets access to your root account.
Thank you all for your help, I will take that into account, personally I like the Michael's aproach, thanks. Answering to Andrew, what I need to do is that only one person (The administrator of this network -not a Linux guy-) have access to this webpage using .htaccess or some other Apache security, but I want to add more security to this, and that is why I have posted here, thanks you all gave a good point to start. best regards. -- Guillermo Garron "Linux IS user friendly... It's just selective about who its friends are." (Using FC6, CentOS4.4 and Ubuntu 6.06) http://feeds.feedburner.com/go2linux http://www.go2linux.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
