Re: How to generate script with Apache and run it by root avoiding to "kill" security



On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
Hi List,

I am creating a PHP small program that will interact with MySQL and
will have the policies for the people in my office, i.e.:
Who can or can not access MSN messenger
Who can or can not access WWW

etc. once this is stored, a shell script with the iptables rules
should be created, and then run.

I do not want to run it with Apache, so I was thinking on creating a
CRON job that will run it as root once every n minutes, but the issue
i see here, is that if somebody "break" my Apache security he will be
able to create any script he likes and my CRON will run it, killing my
server security.

any better ideas about how can I achieve my goal?

I don't see how you could possibly create a publicly available
interface to change something as fundamental as your firewall and have
it _not_ be a security risk.

maybe you could create a user that only has permissions to run one
script and that one script is only allowed to change your firewall
rules in specific ways, but even so I think you're asking for trouble.

and take that all with appropriate salt as I am no security expert, it
just seems kind of obvious to me...

A

Attachment: signature.asc
Description: Digital signature



Relevant Pages

  • Re: what www perl script is running?
    ... When you run a firewall on a host, you open the ports for the services you want ... that doesn't really add to security at all and may well make you less vigilant. ... Security isn't always about preventing a compromise. ... The part you missed is that the installed script needs to connect out to ...
    (freebsd-questions)
  • SUMMARY WAS: OT? Philosophical Question on SA responsibilities
    ... helpful for managers interested in hiring new administrators. ... Would you go thru the 14,600 messages in root and admin ... If I was a new SA I would if encountering a security hole, ... I can see some use for the passwd -s part of the crontab script, ...
    (SunManagers)
  • Re: Clarification-Win2k Netstat sockets interpretation
    ... snip.. ... Before I could manually download every security upate and servicepack from MS.com but now...they send you a bit of Cop-code that fails to run unless ALL defences are down ... Are you sure the script from ntsvcfg is benign in addition to being useful? ... You are absolutely correct there HAL, er ah, Sebastian. ...
    (alt.computer.security)
  • Re: BUG with RES/SCRIPT/XP-SP2
    ... I consider JavaScript (known to security people as JavaVirus) as one of the Really Top ... to have a bad script cause damage to my machine. ... This security feature is called the "Local Machine Zone Lockdown". ... Tags, and the CDHtmlDialog class in this forum, and got no response. ...
    (microsoft.public.vc.mfc)
  • [NT] Flaw in Windows Script Engine Could Allow Code Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Windows Script Engine provides Windows operating systems with the ... blocked by Outlook Express 6.0 and Outlook 2002 in their default ...
    (Securiteam)