[sudo-users] Adding PHP securely to sudoers

[Robert Lefebvre]

Hello all,

I'm brand new to the mailing list so let me briefly introduce what I do. I
am primarily the network admin for a small private school (about 50
students) for special needs kids. I am brand new at this but did manage to
build a LTSP (linux Thin Server) network of about 40 older PCS(P4 vintage)
all running from Edubuntu on a 6 core processor/server with 16GB of memory
and on a network of gigabit switches.

We regularly need to discipline students and suspend their computer
privileges which I usually do by either opening up the etc/passwd file and
deleting the student's listing to the users group there (I just leave their
group location empty) or, for a while, I was just adding an exclamation
point (!) in front of their password hash in etc/shadow. I am familiar with
command line ways to do that but I am not looking for 'convenience' at this
point.

But I am also the webmaster of the Intranet (on our Apache localhost). And
I have a section there that is quite well protected by a PHP user access
script so that only teachers have access. Awhile ago I set out to write a
script enabling the teachers to be able to suspend a student themselves. I
had the goal of not only enabling suspension but through use of a cron to
enable them to do so for a preset period of time. It is just about complete
but I started having concerns about enabling PHP to write to the file(s) in
etc (I mention plural because I would like to create groups of software
apps such as Internet browsers that I (or teachers) could then remove
students from to effect discipline in stages or degrees).

When I posted a similar question on an Edubuntu mailing list the responses
were suggesting two different directions. One was to install and use LDAP
to authenticate and enable privileges. It was compatible with PHP and would
do everything I wanted but in a "more secure way". But even though the
learning curve for it won't be too bad, I am just about finished the PHP
script anyway so i don't need the added issue of LDAP right now (perhaps at
the next network build). I also don't understand how LDAP controls LINUX
(sic how it tells Linux to let the teachers run the php script and to let
the php script change the student's access etc). The other side of LDAP
(where it writes to its own table) is very much like the way PHP writes to
MySql so that is not an issue for me).

Their second suggestion was that if I was determined to use my own PHP
scripting instead of LDAP then I needed to add PHP to sudoers but they
cautioned that would be a security hole. Now, I stumbled upon your mailing
list so, if I may, I'd like to present the same question to the sudoers
experts for their perspective.

To date, I previously did manage to totally wipe out the passwd file (which
I was able to easily restore with a live CD) and lock myself out ( a big
OOPS!) but also discovered the limits of the passwd file. Even if someone
hacked PHP, and PHP had sudoers to write to the passwd file the damage
would be limited. I could restore the file quite quickly. I would
definitely not want php to write to sudoers, nor to shadow but I don't
think php writing to users is a big deal as long as it can't write to the
shadow file (where the encrypted passwords are stored).

Assuming that the above is safe enough, then also I am wondering if opening
up the etc/group file to php is too big because they could write themselves
into a different group?

So, supposing this group could help me write those conditions into the
sudoer file, would it be a wise move? Or is the LDAP idea better?

Thanks in advance

Robert


-- 
BungeeBones.com - A B2B Link Exchange - Free Links in limited locations -
human edited and reviewed - Networked online advertising business
opportunities available through our free, distributed web directory script