Shell Programming and Scripting

Neo, read the initial post, its not about web auth.


I have solved this now. I was on the right track but had to add www-data as a sudoer which is what I was having problems with as webmin wont allow you to do it. You must be using ssh or on the server directly. The other thing required is that www-data have a valid password.

Yes, I read all the posts.

Adding www-data to sudoers in not a very secure way to so this; and it is not the way I would do this and I have been doing this for more than 15 years.

You are making your web-server user id run at super user privileges; and this is not secure.

But, you seem to not want to listen to people with 15 years experience doing what you are trying to do for the first time, so I think better I do not help you; since I have done what you are trying to do many, many times, and have never, ever given a web server super user privs for any task.

Some people just simply like to do things in insecure, not well designed ways; and not listen to those who have done it correctly and securely many times

Good luck!


Note: For anyone else reading this thread in the future. Never run your web server user id (uid) with root privileges or sudo privs (as in the "solution" in this post). Never do it. It is a huge security risk you do not want nor need to ever do. A web server should never run as root or as sudo root or otherwise.

I will second that note. I am 39 years old, have been running windows based servers for around 25 years, I have a certificate 3 and 4 in networking with security components, about half way through my bachelor of comp sci and about to take on my diploma in networking. I have taken steps to completely isolate my servers on the network, including but not limited to multiple gateways, routing, firewalls and port management. Do not do what I am doing as it will open up not only your server but your entire network to attack.


NEO: Please don't be mad with me, I do understand and I do welcome your advice however as mentioned before, I am not concerned with the security issues of privately hosted public minecraft servers.

------ Post updated at 01:42 AM ------

I would like to propose a more secure way of doing this, which after some testing I have found works just as well. Rather than adding www-data to the sudoers, simply use php to write to a file and have a script monitor that file for changes. The limitation is that a script would likely be run on a cron job which I think the minimum interval is 1 minute. If you would like more help with this method, please create a new thread.



Here is the php code to write to the file.

Code:

<?php

if ($_GET['start']) {
  $old_path = getcwd();
  chdir('/my/path/');
  
  # This code will run if ?run=true is set.  
  $output = shell_exec("echo 'start' > ./operations.txt"); # You can also use >> to append.
  echo $output;

  chdir($old_path);
}
?>


<!-- This link will add ?run=true to your URL, myfilename.php?run=true -->
<a href="?start=true" color="green">start</a>

The first thing you should do is to insure you have SSH set up for your entire web server and no non HTTPS traffic is permitted.

The second thing you must do it to set up basic apache2 security to require an htpasswd user id and login for basic authentication access to your web server.

The third thing you must do it so set up iptables so only the handful of IP addresses you control are permitted to even connect to the web server.

These are the bare minimum requirements.

Then, on the PHP side, you do not need to use sudo if you set it up correctly. No good web server admin sets up their web server with the user id of the web server (in your case www-data) in the sudoers file. There are better and more secure ways to do it.... but as you said, you don't care about security, so why should we waste our time.

There is no excuse for setting up apache2 and PHP on a LAMP server in an insecure way; when it can easily be done securely and correctly.

One last point, I'm not angry in the least. I don't have emotions when others do things wrong or in a very insecure way on their servers. In fact, after decades on the net, I don't get angry, upset, or have any emotion about anything in these or other forums or sites; but we admins and moderators will enforce rule violations, and so far you have not broken any rules, LOL . Thank you for always following the forum rules. Much appreciated.

In general, I am concerned about cybersecurity, professionally speaking.

Cheers and good luck!

PS: If you truly have a web server where you do not care in the least about security, then just set up apache2 to run with the userid of root and not www-data and be done with it. LOL.... then you can do whatever you want, insecurely as you like Easy.

We have all of that except for the IP tables as some of the managers are on dynamic IP's. Admittedly I could look at the range they are being assigned and restrict it to that subnet but too much work for too little benefit. It's all working now and im switching to the file method I mentioned above as I was only using www-data as a sudoer because I could find no other option.