Path: news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Lawrence D'Oliveiro <ldo@nz.invalid>
Newsgroups: comp.os.linux.misc
Subject: Re: Simple way for web to execute root shell script.
Date: Mon, 26 May 2025 22:22:56 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 16
Message-ID: <1012pk0$27hrr$1@dont-email.me>
References: <100pphq$2taj$2@dont-email.me> <1012843$amga$1@solani.org>
	<1012gbr$25pes$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 27 May 2025 00:22:56 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="33073bbff005775268e5c429152041b4";
	logging-data="2344827"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+Dutv8FW+GItshU0oyPVct"
User-Agent: Pan/0.162 (Pokrosvk)
Cancel-Lock: sha1:iDMgESG8xiq54D6OG986by8ic0c=

On Mon, 26 May 2025 20:44:58 +0100, The Natural Philosopher wrote:

> On 26/05/2025 18:24, Dominik Ałaszewski wrote:
>
>> One can consider communicating via files. Apache writes a file in a
>> certain location (perhaps with the arguments for the script),
>> script run (as root) is then triggered via inotify mechanism (one can
>> utilise i.e. incron),
>> the results are written to another file, readable by Apache.
>> 
> Why make stuff more complicated than it has to be?

Separation of privileges.

Replace “file + inotify” with “unix socket”, and you have a simpler 
solution that still maintains the same separation of privileges.