[sudo-users] php edit of sudoer file
Shawn McMahon
syberghost at gmail.com
Fri Dec 14 20:28:52 EST 2012
On Dec 14, 2012 5:41 PM, "Robert Lefebvre" <robert.r.lefebvre at gmail.com>
wrote:
>
> I had started building a php script that would have enabled logged in
> teachers to use a php script that would modify the etc/shadow file to
> temporarily deactive errant students as users. I couldn't get my script to
> write to the file until I realized it was a permissions issue. I don't
want
> to leave the permissions changed so another approach would be to make php
a
> user in the sudo group so it could write to the shadow file. Some warned
> that php was not that secure, that I shouldn't give it sudo rights and,
so,
> instead should create an LDAP server.
>
> Does this group have any thoughts on this idea of making php a sudo user?
Look at the man page for the 'passwd' command. On most OSes it has a flag
to disable a user. That would be better than letting your php script edit
the shadow file directly.
I would not give php membership in any group with broad sudo rules; I would
give it only the rule or rules it needs.
More information about the sudo-users
mailing list