服务器端脚本以 root 身份运行或以 php 的可行交互方式运行
我试图找出在本地服务器中执行管理任务的方法,因为不同的脚本大多数都具有需要根权限的操作。
我怎样才能以最小的安全影响执行这些脚本?¿
我发送了一些示例脚本:
#!/bin/bash
if [ $1 == '-h' ];
then
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
echo + Instrucciones +
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
echo Para ejecutar el script hay que hacer cd hasta /var/www/scripts/server ..
echo ejecutar ----> bash crearhosts $dominio $dominio $dominio $status
echo Se pueden poner tantos dominios como se quiera sin extensión salvo el último parámetro que ha de ser el tipo de site con los siguientes valores validos:
echo localzone1
echo localzone2
echo localzone3
echo +------------ejemplo-------------+
echo bash domain domain domain localzone
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
echo + fin +
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
else
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
#+ Variables +
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
params=$*
array=$(echo $params | sed 's/ /;/g')
IFS=";"
set -- $array
sites=($array)
base="/var/www"
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
#+ funciones +
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
function hostconf(){
case $status in
aracne)
cp /var/www/vhosts/template.ethings.com.conf /var/www/vhosts/$domain-aracne.ethings.com.conf
grep -Rl -e 'ethings/template' /var/www/vhosts/$domain-aracne.ethings.com.conf | xargs sed -i 's:domain/template:domain/'$domain'-aracne:g'
grep -Rl -e 'template' /var/www/vhosts/$domain-domain.com.conf | xargs sed -i 's/template/'$domain'-aracne/g'
mkdir $base/$status/${directorios[0]}-aracne ; mkdir $base/$status/${directorios[0]}-dominio/${directorios[1]} ; mkdir $base/$status/${directorios[0]}-dominio/${directorios[2]}
echo +---------------------------------------------------------------------------------------------------------------------------------------------+
echo "+----------------------No OLVIDE AÑADIR EL DOMINIO "$domain"-domain.com para la ip xxx.xxx.xxx.xxx en su archivo hosts"
echo +----------------------------------------------------------------!!!!!!!!!!!!!!!!!!!!---------------------------------------------------------+;;
static)
cp /var/www/vhosts/template.ethings.com.conf /var/www/vhosts/$domain.ethings.static.com.conf
grep -Rl -e 'ethings/template' /var/www/vhosts/$domain.ethings.static.com.conf | xargs sed -i 's:ethings/template:ethings/static-webs/'$domain':g'
grep -Rl -e 'template.ethings' /var/www/vhosts/$domain.ethings.static.com.conf | xargs sed -i 's/template.ethings/'$domain'.ethings.static/g'
mkdir $base/ethings/$status-webs/${directorios[0]}; mkdir $base/ethings/$status-webs/${directorios[0]}/${directorios[1]}; mkdir $base/ethings/$status-webs/${directorios[0]}/${directorios[2]}
echo +---------------------------------------------------------------------------------------------------------------------------------------------+
echo "+----------------------No OLVIDE AÑADIR EL DOMINIO "$domain".domain.com para la ip xxx.xxx.xxx.xxx en su archivo hosts"
echo +----------------------------------------------------------------!!!!!!!!!!!!!!!!!!!!---------------------------------------------------------+;;
*)
cp /var/www/vhosts/template.domain.com.conf /var/www/vhosts/$domain.ethings.com.conf
grep -Rl -e 'template' /var/www/vhosts/$domain.domain.com.conf | xargs sed -i 's/template/'$domain'/g'
mkdir $base/ethings/${directorios[0]} ; mkdir $base/ethings/${directorios[0]}/${directorios[1]} ; mkdir $base/ethings/${directorios[0]}/${directorios[2]}
echo +-------------------------------------------------------------------------------------------------+
echo "No OLVIDE AÑADIR EL DOMINIO "$domain".domain.com para la ip xxx.xxx.xxx.xxx en su archivo hosts"
echo +-----------------------------------!!!!!!!!!!!!!!!!!!!!------------------------------------------+;;
esac
}
#echo ${#sites[@]} +-------+ elements of array +--------+
for((count=0; count<$((${#sites[@]}-1)); count++))
do
directorios=("${sites[$count]}" "html" "logs")
domain=${sites[$count]}
status=${sites[$((${#sites[@]}-1))]}
hostconf $status
done
/etc/init.d/apache2 restart
fi
如您所见,此脚本必须以 root 身份运行,因为它有许多需要这样做的操作
另一个脚本:
echo password | python /var/www/google_appengine/appcfg.py --passin --email=email update localapplicationurl
当我运行它时,我收到 apache 错误appcfg.py 的权限甚至 chmoding 4755 和 visudoing to all all=nopasswd: urlscript/script
以及其他尝试。
很抱歉发布这么多问题,但我确实需要能够运行许多脚本,以便我公司的人员可以将其作为网络界面来完成。
谢谢您的回答。 Well 基本上是一个根据我自己的需求个性化的 plesk 类型面板。这包括创建 samba 配置、虚拟主机配置、将网站上传到远程服务器并下载它们、根据程序员的需要自动安装数据库、创建用户组等。这是一家拥有超过 1000 个域的公司,我设置了四个本地服务器用于生产,我们有脚本上传到谷歌和亚马逊等的 CDN。我已经在独立脚本中设置了所有这些,但需要以某种方式让人们在网站界面中执行此操作。它将释放我的大量工作(我是唯一一个这样做的人),并且能够专注于网络服务器优化和其他方面。所以我需要这样做,大多数脚本涉及通过 ssh 连接到至少 30 个不同的服务器,或者一次下载上传 100 个迷你站点(ssh 连接 ftp 等),或者使用 python 和 sdk 等运行 google cdn。其中大部分必须代表用户的需要,即从该服务器获取这些域 - 提供选择它们的选项 - 选择操作 - 运行 upload-download-cleanremotecache-erasespecificfilesfolders-etc 脚本。
就是这样。这样做的好处是我可以通过 iptables 或服务器配置中的本地特定 mac 地址等来阻止对服务器的完全访问。它只需要在本地运行,并且能够运行主要涉及 root 命令的脚本。
我只需要专注于最好的方法来做到这一点,在谷歌中发现的大多数东西都不能按预期或类似的方式工作。当我掌握了方法后,剩下的就是把手放在上面了。
很抱歉让自己扩展了这么多,但正如你所看到的,我有很多事情要做,而且我在计算机和 Linux 方面的经验是从一年前开始的。
i'm trying to find out the way to perform administrativa tasks in a local server as different scripts most of them having actions that require root permissions.
How can i execute these scripts with the least security impact?¿
I send some example scripts:
#!/bin/bash
if [ $1 == '-h' ];
then
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
echo + Instrucciones +
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
echo Para ejecutar el script hay que hacer cd hasta /var/www/scripts/server ..
echo ejecutar ----> bash crearhosts $dominio $dominio $dominio $status
echo Se pueden poner tantos dominios como se quiera sin extensión salvo el último parámetro que ha de ser el tipo de site con los siguientes valores validos:
echo localzone1
echo localzone2
echo localzone3
echo +------------ejemplo-------------+
echo bash domain domain domain localzone
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
echo + fin +
echo +-------+-------+-------+-------+-------+-------+-------+-------+-------+
else
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
#+ Variables +
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
params=$*
array=$(echo $params | sed 's/ /;/g')
IFS=";"
set -- $array
sites=($array)
base="/var/www"
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
#+ funciones +
#+-------+-------+-------+-------+-------+-------+-------+-------+-------+
function hostconf(){
case $status in
aracne)
cp /var/www/vhosts/template.ethings.com.conf /var/www/vhosts/$domain-aracne.ethings.com.conf
grep -Rl -e 'ethings/template' /var/www/vhosts/$domain-aracne.ethings.com.conf | xargs sed -i 's:domain/template:domain/'$domain'-aracne:g'
grep -Rl -e 'template' /var/www/vhosts/$domain-domain.com.conf | xargs sed -i 's/template/'$domain'-aracne/g'
mkdir $base/$status/${directorios[0]}-aracne ; mkdir $base/$status/${directorios[0]}-dominio/${directorios[1]} ; mkdir $base/$status/${directorios[0]}-dominio/${directorios[2]}
echo +---------------------------------------------------------------------------------------------------------------------------------------------+
echo "+----------------------No OLVIDE AÑADIR EL DOMINIO "$domain"-domain.com para la ip xxx.xxx.xxx.xxx en su archivo hosts"
echo +----------------------------------------------------------------!!!!!!!!!!!!!!!!!!!!---------------------------------------------------------+;;
static)
cp /var/www/vhosts/template.ethings.com.conf /var/www/vhosts/$domain.ethings.static.com.conf
grep -Rl -e 'ethings/template' /var/www/vhosts/$domain.ethings.static.com.conf | xargs sed -i 's:ethings/template:ethings/static-webs/'$domain':g'
grep -Rl -e 'template.ethings' /var/www/vhosts/$domain.ethings.static.com.conf | xargs sed -i 's/template.ethings/'$domain'.ethings.static/g'
mkdir $base/ethings/$status-webs/${directorios[0]}; mkdir $base/ethings/$status-webs/${directorios[0]}/${directorios[1]}; mkdir $base/ethings/$status-webs/${directorios[0]}/${directorios[2]}
echo +---------------------------------------------------------------------------------------------------------------------------------------------+
echo "+----------------------No OLVIDE AÑADIR EL DOMINIO "$domain".domain.com para la ip xxx.xxx.xxx.xxx en su archivo hosts"
echo +----------------------------------------------------------------!!!!!!!!!!!!!!!!!!!!---------------------------------------------------------+;;
*)
cp /var/www/vhosts/template.domain.com.conf /var/www/vhosts/$domain.ethings.com.conf
grep -Rl -e 'template' /var/www/vhosts/$domain.domain.com.conf | xargs sed -i 's/template/'$domain'/g'
mkdir $base/ethings/${directorios[0]} ; mkdir $base/ethings/${directorios[0]}/${directorios[1]} ; mkdir $base/ethings/${directorios[0]}/${directorios[2]}
echo +-------------------------------------------------------------------------------------------------+
echo "No OLVIDE AÑADIR EL DOMINIO "$domain".domain.com para la ip xxx.xxx.xxx.xxx en su archivo hosts"
echo +-----------------------------------!!!!!!!!!!!!!!!!!!!!------------------------------------------+;;
esac
}
#echo ${#sites[@]} +-------+ elements of array +--------+
for((count=0; count<$((${#sites[@]}-1)); count++))
do
directorios=("${sites[$count]}" "html" "logs")
domain=${sites[$count]}
status=${sites[$((${#sites[@]}-1))]}
hostconf $status
done
/etc/init.d/apache2 restart
fi
#
As you can see this script must be run as root for it has many actions that require so
Another scriptt:
echo password | python /var/www/google_appengine/appcfg.py --passin --email=email update localapplicationurl
#
when i run it i get apache errors with permissions for appcfg.py even chmoding 4755 and visudoing to all all=nopasswd: urlscript/script
And other tries.
Sorry to post so many questions but i really need to be able to run many scripts so that people in my company can do it as web interface.
Thank you for your answer. Well is basically a plesk type panel personalized to my own needs. That includes creating samba configurations, vhost configurations, upload websites to remote servers and so download them, automating installation of databases on programmers needs, creating users groups, etc is a company with over 1000 domains i set four local servers for production we have scripts for uploading to cdn in google and amazon, etc. I have all this set up in independent scripts but need to somehow be able to get people do this in website interface. It would release a lot of work from me (i'm the only one doing this) and be able to concentrate on webservers optimizaton and others. So i need to do this and most scripts involve ssh conections over ssh to at least 30 different servers or downloading-uploading 100 minisites at once (ssh connections ftp etc), or running google cdn with python and sdk and else and else. Most of this having to be on behalf of users need that is get these domains from this server - give option to select them - select action - run upload-download-cleanremotecache-erasespecificfilesfolders-etc script.
That is the thing. The good thing about this is i can block total access to the server by iptables or by local specific mac addresses in servers confs, and so. It needs to only run in local and be able to run sripts that involve mostly root commands.
I just need to focus on best way to do it most things found in google don't work as spected, or similar. When i get the way of approach the rest is a matter of putting hands to it.
Sorry to extend myself so much but as you see i have a lot of things to do and my experience in computers and linux started a year ago.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为这里真正的问题是,您是否真的需要从 Web 界面以 root 身份运行这些脚本,这是非常不安全的,也不建议这样做。
您应该登录到服务器并手动安装它们,然后离开 Web 界面来安装不需要 root 访问权限的任何其他内容。
无论如何,我认为你可以通过谷歌寻找一些时间的解决方案,但不推荐这样做,并且违反了linux的一般权限设计。
I think that the real question here is if you really need to run those scripts as root from a web interface, that's extremely unsafe and not recommended.
You should log to the server and install them manually, then leave the web interface to install anything else that does not requires root access.
Anyway I think you can look for some time of solution to this over google, but it's not recommended and violates the general permissions design of linux.