PHP Security Question

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Here's my situation: I'm working on a PHP application that adds user
accounts to my system.  However, the PHP script runs on the webserver,
while the accounts need to be created on a different box, which I'll refer
to as "master".  Right now, on "master" I have a script which can create
and destroy directories in /home, and set permissions, etc.  The script is
run by a shell_exec(ssh master sudo create $USER).  I have
setup the web server user to be able to ssh to master without a password,
and use sudo to run without a password.  What I'm worried
about is that any other user able to put up their web page can do the exact
same thing, and delete home dirs.  Is there a more secure way to do this?

Re: PHP Security Question

Quoted text here. Click to load it

How about sending an email, signed a special way with some sort of MD5
hash, that gives particulars on how to create the account to the remote
system.  A script would execute, authenticate the hash, and perform the
account add or other action.

DeeDee, don't press that button!  DeeDee!  NO!  Dee...

Re: PHP Security Question

Quoted text here. Click to load it

Instead of the web server pushing the user info to the master, have the
master pull the info from the web server. As long as the page that master
reads is secured, there is no easy way for another user on the web server to
compromise the system.

Site Timeline