see below > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Larry Brown > Sent: Friday, March 28, 2003 7:40 PM > To: [EMAIL PROTECTED] > Subject: RE: iptables access > > > This is kind of my point. Webmin runs as root or at least > executes commands > as root. With Webmin you have access granted or denied by > use of a login > mechanism. I can use a login mechanism on apache to do the > same granting or > denial. So why wouldn't I be able to get apache to do the same? Is > webmin's server more secure in some way than Apache. The > problem I have > with Webmin is that I write most of my code in php which is > not supported by > Webmin (or at least last I checked) and I'd rather use > Apache. My ultimate > goal is of making system changes to affect modifications to IPSEC from > FreeS/WAN. This requires that I restart the network service, > then turn ip > forwarding back on afterwards, and then restart the ipsec > service which all > point to running apache as root. (or writing everything in > perl and using > Webmin) > > Larry S. Brown > Dimension Networks, Inc. > (727) 723-8388 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Behalf Of Jeff Kinz > Sent: Friday, March 28, 2003 9:02 AM > To: [EMAIL PROTECTED] > Subject: Re: iptables access > > Hey Chris - Please don't "Top Post" > > -----Original Message----- > > Is anyone familiar with the possibility of running iptables > commands as a > > non-root user? I am trying to execute commands from a web > page without > > running apache as root or going through reconfiguration of > apache to allow > > it to su root. It seems it would be easier to be able to > allow a user > > access to iptables commands. > > > > Larry S. Brown > On Fri, Mar 28, 2003 at 10:17:57AM +0100, christopher cuse wrote: > > hi larry, > > > > it is hard to imagine for what reason you would want to > have apache be > able > > to su to root -- this could/would spell disaster in a production > environment > > and should be discouraged. iptables access from a non-root > user as well is > > exceptionally dangerous -- one command could render the network > inoperable. > > > > apache has very robust security, so you should attempt your > project within > > the confines of apache. > > > > curious what exactly you have in mind ... > Yes, Larry - what do you want apache to do? there is probably a better > way to accomplish it rather than having apache become root. :-) > > One option, if apache absolutely must become root is to use the "sudo" > command > and restrict apache to a single special purpose script that > does only the > exact and specific thing you need. > > If you are trying to use apache to administer a Linux box > remotely I suggest > looking at the "Webmin" package which allows you to do that > and which you > can > add scripts to to extend the functionality. > > > Webmin is extemely cool and useful even if only used as a local > administration > tool.
hi larry, i concur with your sentiments concerning webmin -- i use it, and i also install for clients. given the further information that you have provided, i would use https:// as your solution. granting ssl access to a web user is theoretically as secure as ssh -- once you have established a secured connection, then you may act as root and perform the necessary with lesser concern for security, although always bear it in mind. cheers Christopher CUSE -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
