Login or Register to Ask a Question and Join Our Community


Cybersecurity

WebApp secure access to protected files/programs

 
Thread Tools Search this Thread
Special Forums Cybersecurity WebApp secure access to protected files/programs
Prev   Next
# 1  
Old 03-14-2011
WebApp secure access to protected files/programs
Hello,

I'm working on an embedded linux project that provides a devices that uses an IPSec VPN (using racoon) to connect back to base. The device also hosts a WebApp that allows admin users to change many aspect of the networking setup, including things like the VPN pre-shared-key, IP addresses and user passwords. This requires the WebApp to be able to access protected files such as /etc/network/interfaces, and racoons psk.txt as well as programs such as usermod.

My question is, what is the best and most secure method of accessing these protected files from the WebApp code?

The WebApp is running through lighttpd, and uses php for the server-side scripting. Currently, php code calls shell scripts (using exec() ) outside of the document-root that then access the files. The shell scripts are owned by the webapp user, and use sudo to access protected files and programs. This requires the webapp user to have permissions in the sudoers files for programs such as cp, cat, and usermod. All of which I believe make this a very insecure system. The only other choice I thought was to setuid the shell scripts.

What would be the normal method of accomplishing such things for a web application? Any advice on a secure method of doing this would be most appreciated.

Thanks very much
Rob
 
Login or Register to Ask a Question

Previous Thread | Next Thread

6 More Discussions You Might Find Interesting

1. Programming

Regarding the protected variables access

Hello forum, I am siva working as programmer .I was blocked with the below issue so please help any of the forum memebers. testve.h class cv { protected : struct state; state& m_state; }; testVe.cpp struct state { m_size; } the above are 2 files which have the... (3 Replies)
Discussion started by: workforsiva
3 Replies

2. UNIX for Dummies Questions & Answers

How to access/run c programs on Putty?

Hi all, I wrote a couple noobie programs and had them compiled over Putty (using gcc), but I don't know what command I should use to run them. Please assume that I'm a complete noob when it comes to programming and putty commands. Thank you for your help! (1 Reply)
Discussion started by: Recycalable
1 Replies

3. Debian

Secure ftp access to outside chroot

I want to setup ftp on my home server running debian 5.0 I found this guide and have read it carefully. Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Lenny | HowtoForge - Linux Howtos and Tutorials Before I install/config it I want to know if its... (1 Reply)
Discussion started by: chipmunken
1 Replies

4. Shell Programming and Scripting

Unzipping files <password protected>

Hie Friends, I need your help once again. I have 77 “password protected” winzip files in linux/unix server. I want to decrypt it through an automated script. Password of every file is same and it is mhd*tt. Please help me. Usually I unzip it as follows, manually one by one. unzip <file name> ... (6 Replies)
Discussion started by: anushree.a
6 Replies

5. UNIX for Dummies Questions & Answers

What programs access shared library file

I was curious how to tell which programs are accessing a file (libobjc.A.dylib) in /usr/lib This file seems to be the culprit in a bunch of Safari crashes, and I just wanted to know if and what other programs use it. Also, I was curious what a good way to find out what files are being written... (4 Replies)
Discussion started by: glev2005
4 Replies

6. Solaris

secure access using sudo

I just need to know what should be done on a login user so that no one can access it except through sudo i.e. telnet server login: user NO ACCESS telnet server login: mylogin sudo - user <any command> ACCESS GRANTED thanks (0 Replies)
Discussion started by: melanie_pfefer
0 Replies
Login or Register to Ask a Question

LEARN ABOUT SUSE

racoon

RACOON(8)						    BSD System Manager's Manual 						 RACOON(8)

NAME

     racoon -- IKE (ISAKMP/Oakley) key management daemon

SYNOPSIS

     racoon [-46BdFLv] [-f configfile] [-l logfile] [-P isakmp-natt-port] [-p isakmp-port]

DESCRIPTION

     racoon speaks the IKE (ISAKMP/Oakley) key management protocol, to establish security associations with other hosts.  The SPD (Security Policy
     Database) in the kernel usually triggers racoon.  racoon usually sends all informational messages, warnings and error messages to syslogd(8)
     with the facility LOG_DAEMON and the priority LOG_INFO.  Debugging messages are sent with the priority LOG_DEBUG.	You should configure
     syslog.conf(5) appropriately to see these messages.

     -4

     -6      Specify the default address family for the sockets.

     -B      Install SA(s) from the file which is specified in racoon.conf(5).

     -d      Increase the debug level.	Multiple -d arguments will increase the debug level even more.

     -F      Run racoon in the foreground.

     -f configfile
	     Use configfile as the configuration file instead of the default.

     -L      Include file_name:line_number:function_name in all messages.

     -l logfile
	     Use logfile as the logging file instead of syslogd(8).

     -P isakmp-natt-port
	     Use isakmp-natt-port for NAT-Traversal port-floating.  The default is 4500.

     -p isakmp-port
	     Listen to the ISAKMP key exchange on port isakmp-port instead of the default port number, 500.

     -v      This flag causes the packet dump be more verbose, with higher debugging level.

     racoon assumes the presence of the kernel random number device rnd(4) at /dev/urandom.

RETURN VALUES

     The command exits with 0 on success, and non-zero on errors.

FILES

     /etc/racoon.conf  default configuration file.

SEE ALSO

     ipsec(4), racoon.conf(5), syslog.conf(5), setkey(8), syslogd(8)

HISTORY

     The racoon command first appeared in the ``YIPS'' Yokogawa IPsec implementation.

SECURITY CONSIDERATIONS

     The use of IKE phase 1 aggressive mode is not recommended, as described in http://www.kb.cert.org/vuls/id/886601.

BSD
								 November 20, 2000							       BSD