这个脚本安全吗？

发布于 2024-11-01 05:18:02 字数 838 浏览 1 评论 0原文

我需要执行一些服务器任务。现在我多次听到这是非常不安全的。这是我的解决方案：

将此行添加到 sudoers： www-data ALL=NOPASSWD: /var/private-www/bin/webadmin （无法通过网络访问）

创建了此脚本var/private-www/bin/webadmin：

# Script for executing server tasks.
#
# Arguments:
#  - Password       Required for authentication, not all scripts may run this file
#  - Action         Action to execute
# Exit codes:
#  0                Failed
#  1                Success

# First of all check the password
if [ $1 = "secretpassword" ]
then

whoami
exit 1

else

echo "No access"
exit 0

fi

该文件具有以下权限： 0111

仅对一个帐户启用 SSH 访问。所以除了我（和 www-data）之外，没有人可以执行该脚本。 www-data 现在可以通过执行以下操作来访问此文件： exec('/usr/bin/sudo /var/private-www/bin/webadmin Secretpassword', $output, $status);

这足够安全吗？我怎样才能让它更安全？

原文

I need to execute some server tasks. Now I heard many many times this is very insecure. This is my solution:

Added this line to sudoers:
www-data ALL=NOPASSWD: /var/private-www/bin/webadmin (Not accessible through web)

Created this script var/private-www/bin/webadmin:

# Script for executing server tasks.
#
# Arguments:
#  - Password       Required for authentication, not all scripts may run this file
#  - Action         Action to execute
# Exit codes:
#  0                Failed
#  1                Success

# First of all check the password
if [ $1 = "secretpassword" ]
then

whoami
exit 1

else

echo "No access"
exit 0

fi

The file has these rights:
0111

SSH access is only enabled for one account. So nobody can execute the script, except me (and www-data). www-data can now access this file by doing:
exec('/usr/bin/sudo /var/private-www/bin/webadmin secretpassword', $output, $status);

Is this safe enough? How can I make it more secure?

分享到QQ

分享到微博