Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Possible to set Apache user/group programatically?

    I'm using PHP's exec() function to call applescript commands, in order to get data from itunes, and generate a browser-based remote interface for it. All well and good, but to make it work it's necessary to set Apache's user/group as follows:
    Code:
    User shortname
    Group staff
    Obviously suicidal for a public server, but no serious problem for a personal or local server, which is what it's intended for. Still it's not ideal, and I'd rather not have to make that permanent change.

    My question is - can I automate this change of user in PHP (or possible using .htaccess directives?) so that users don't have to make that change permanently to their httpd.conf, but only temporarily within the script folder while it's running?
    Last edited by brothercake; 02-08-2006 at 07:42 AM.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,106
    Thanks
    11
    Thanked 101 Times in 99 Posts
    You can't change user/group in .htaccess, nor as far as I know even in virtual hosts.

    The last time I played with anything similar (Plesk script integration) I ended up having another apache instance running on a different port as a priviledged user to accomodate those requests which I suppose is just as daft (thats how Plesk itself works~) though you can restrict access to that version of apache to localhost.

    perhpas messing with sudo (if available) may be the right track?
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by firepages
    perhpas messing with sudo (if available) may be the right track?
    How do you mean?
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,106
    Thanks
    11
    Thanked 101 Times in 99 Posts
    If you have sudo installed and add apache/PHP to sudoers then they can do things with elevated priviledges, the main point being that you can control exactly what sudoers can and can not do via /etc/sudoers the main issue is authentication so you will probably have to use NOPASSWD

    apache hostname = NOPASSWD: /your/script

    .... I know very little about sudo so check out http://www.sudo.ws/ for the manual
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Okay, that's worth looking into, ta.

    But my main concern was really doistribution of the script - if I give it to others to use, I want their setup process to be as simple as possible, preferably without requiring any manual edits to httpd.conf

    But apart from that, I guess it's quite a security risk, isn't it? If the worst-case happened and someone gained remote access to my (or a user's network) it would effectively give them carte-blanche to do anything that user can do?
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #6
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,106
    Thanks
    11
    Thanked 101 Times in 99 Posts
    Well if apache is running as a priviledged user then if anyone can access php or perl exec() type functions via a dodgy cgi or other script then thats an issue, how likely that is I can't say but that is the oft-quoted reason to not run apache as root.

    Problem is as you say you dont want your users having to play with the apache configuration, the only other thing I can think of is to run a PHP or other script as a daemon (running with appropriate permissions) and poll that via php socket functions etc... which is probably a lot of work though there are ready to run php socket-server scripts out there... and loads of perl ones !
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #7
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by firepages
    Well if apache is running as a priviledged user then if anyone can access php or perl exec() type functions via a dodgy cgi or other script then thats an issue, how likely that is I can't say but that is the oft-quoted reason to not run apache as root.
    Perhaps, if that does actually happen to you, you've got bigger security problems than that one Mac anyway

    Quote Originally Posted by firepages
    the only other thing I can think of is to run a PHP or other script as a daemon (running with appropriate permissions) and poll that via php socket functions etc... which is probably a lot of work though there are ready to run php socket-server scripts out there... and loads of perl ones !
    That could be a way, yeah - I'll look into it.

    It might also be possible to write a local applescript that edits the file and whatever other settings changes are necessary .. I wanted to avoid writing applescript as much as possible .. it's like telly-tubby language!

    Thanks for your help
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •