Apache2的权限问题 [英] Apache2 permission problem
问题描述
<我一个href=\"http://stackoverflow.com/questions/5697302/php-shell-exec-touch-redirect-and-adduser\">initially问了一个问题有关如何通过该执行服务器端的PHP脚本的HTML页面创建通过HTML Linux用户(主要是用户注册这或多或少的问题命令 shell_execute(用户的adduser )。但是,从那时起,我已经认识到这个问题与Apache用户做的。
默认的Apache用户是www数据。这工作得很好大部分的时间,你可以指定文件或文件夹无论是www数据的用户,或WWW的数据组。但是,当你需要的root访问权限就复杂的问题。要创建新的Linux用户,我第一次尝试这样的事情
了shell_exec(SSH -v根@ $服务器\\useradd的--password`回声\\$密码\\| makepasswd --clearfrom = - --crypt-MD5 | awk的{打印$ 2}'`-m $用户名\\);
即使我公开/私有密钥,允许用户从WWW的数据,以根密码的条目,我不知道到底哪里把这些键。看来WWW的数据没有主文件夹。 PHP的命令了shell_exec(回声$ HOME)或了shell_exec(回声$ USER)返回空/空串。但是,命令了shell_exec(WHOAMI)正确返回WWW的日期。我尝试过其他方法来发现主文件夹,如了shell_exec(CD〜),但是,导致错误。有没有找出一些办法,其中SSH搜索,每个用户,寻找公钥/私钥的时候?到目前为止我试过 /家庭/ www数据/的.ssh / 和/var/www/.ssh 。
另外,我试过
了shell_exec(回声超级用户口令|须藤useradd的-S'--password回声\\输入mypassword \\| makepasswd --clearfrom = - --crypt-MD5 | awk的'{$打印2 }'`-m罗洛);
但是,抱怨说,超级用户口令我用不正确。看来用户WWW的数据有不同的root密码!事实上,我甚至不知道它的密码是什么。
有人能引导我在正确的方向,我怎么能解决这个问题。我需要能够为每个注册新的人创建的Linux用户。
感谢
shell_execute(用户的adduser)
这是可怕的,糟糕的,危险的。
了shell_exec(SSH -v根@ $服务器
OMG! - 这是更糟糕
看来WWW的数据没有主文件夹
真的吗?什么让你有那个想法?然而,问题是没有实际意义,因为,除非你是设置一个蜜罐允许根SSH访问不是解决问题的办法。
假设你真的,真的需要从网络服务器,创建用户要做到这一点是正确的方式:
- 创建useradd的周围的包装只接受一个放慢参数 - 新用户名 - 为prevent滥用的adduser通过暴露的附加功能
- 请通过
的须藤脚本可运行的根,没有密码(实际上,试图隐藏在code中的密码并没有真正安全帮助)。见sudoers的NOPASSWD标签另外,设置为通过[X]的inetd其内容的共享秘密,并从标准输入用户名和运行的adduser作为root,限制对本地主机连接的脚本,并设置你的PHP脚本通过套接字这一沟通。
I initially asked a question about how to create linux users via HTML (essentially the user registers via an HTML page which executes a server side PHP script which more or less issues the command
shell_execute("adduser user"). But, since then, I have come to realize that the problem has to do with the Apache user.The default apache user is www-data. This works fine most of the time, as you can assign files or folders to either the www-data user, or the www-data group. However, it complicates issues when you need root access. To create new linux users, I first tried something like this
shell_exec("ssh -v root@$server \"useradd --password `echo \"$password\" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'` -m $username\" ");Even if I made public/private keys to allow passwordless entry from user www-data to root, I don't exactly know where to put these keys. It appears www-data has no home folder. The php command
shell_exec("echo $HOME")orshell_exec("echo $USER")returns null/empty string. However, the command "shell_exec("whoami")correctly returns www-date. I tried other ways to discover the home folder, such asshell_exec("cd ~"), however, that caused an error. Is there some way of finding out where ssh searches, per user, when looking for public/private keys? I have so far tried/home/www-data/.ssh/and /var/www/.ssh.Alternatively, I tried
shell_exec("echo root_password | sudo -S useradd --password `echo \"mypassword\" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'` -m rolo ");But that complains that the
root_passwordI used is incorrect. It appears user www-data has a different root password! In fact, I don't even know what its password is.Can someone steer me in the right direction as to how I can resolve this issue. I need to be able to create linux users for every new person that registers.
Thanks
解决方案shell_execute("adduser user")
This is scary, bad, dangerous
shell_exec("ssh -v root@$server
OMG - that's even worse!
It appears www-data has no home folder
really? What makes you think that? However the question is moot since, unless you are setting up a honeypot allowing root ssh access is not the way to solve the problem.
Assuming that you really, really need to create users from the webserver, the right way to do this would be:
- Create a wrapper around useradd which only takes a single paramter - the new username - to prevent abuse of the additional functionality exposed via adduser
- Make the script runnable as root via
sudowith no password (really, trying to 'hide' the password in your code doesn't really help with security). See theNOPASSWDtag for sudoersAlternatively, set up a script via [x]inetd which reads a shared secret and a username from stdin and runs adduser as root, restrict connections to localhost and set up your PHP script to communicate with this via sockets.
这篇关于Apache2的权限问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
