0

I originally asked this question stackEx, and realized it was a much better fit here.

I'm trying to automate the deployment of services on a cluster of hosts from a web-server. I've evoked the php exec function earlier to run simple scripts, and this was not an issue; however it seems the complexity of my current task is requiring further configuration.

I've swapped ssh keys between the hosts and web-server. This is the script tied into php exec as a button:

  # store free memory text as variable


a="/root/pl3bs/a.txt"
b="/root/pl3bs/b.txt"
c="/root/pl3bs/c.txt"

amem=$(cat "$a")
bmem=$(cat "$b")
cmem=$(cat "$c")

# run script on host which has most free memory

if   [ "$cmem" -gt "$amem" ] && [ "$cmem" -gt "$bmem" ]

  then
        ssh 'pl3bs@<ip_redacted>' 'bash -s' < /home/deploy.sh

elif [ "$amem" -gt "$bmem" ] && [ "$amem" -gt "$cmem" ]

  then
        ssh 'pl3bs@<ip2_redacted>' 'bash -s' < /home/deploy.sh

else [ "$bmem" -gt "$amem" ] && [ "$bmem" -gt "$cmem" ]

        ssh 'pl3bs@<ip3_redacted>' 'bash -s' < /home/deploy.sh


fi

So I know this is run from the www-data user, and I know there are issues with permissions, and security risks when jacking with this user to run scripts. I'm trying to do this right. I copied the /root/.ssh directory to /var/www/.ssh directory I created, chown it to www-data, put 700 permissions on the folder, and 600 for the authorized_keys file. It's still not running my script from the php button.

If I run this in the shell with:

sudo -u www-data ./instance.sh

It asks for a password. I swapped keys from the hosts to the web-server, and vice-versa before copying the ones in /root/.ssh to /var/www/.ssh, so why would this still be happening? I know the www-data user is specially restricted for a reason, so am thinking this something else must be done? How do I get this script to run, without causing a security hole?

I've been obsessing over this for nearly 24hrs now, and need a solution. Please, even if you tell me to start from scratch and go it another way, help me out.

Thank you.

pl3bs
  • 25
  • 3
  • I've come to an understanding that my approach is wrong, but have theoretical solutions in mind which I'll attempt to implement when more times can be allocated to this project. Using the apache user the way I'm trying is either not going to work, else is a serious security breach. I'm going to keep the php execution to remedial tasks which can be called on by the root user. An example will be to store user data from text boxes on site into files in specific folders. Run a crontab every few minutes to run a script that checks for these files and does work (lastly cleaning up), else quits. – pl3bs Apr 13 '15 at 10:53

1 Answers1

0

My theoretical solution was success. I have a folder which will store text files from user input. I have a folder for scripts elsewhere on the server that only root has access to, and runs via cronjob every minute. It checks for the existence of text files in the first directory. If they exist, it runs another script to deploy instances, then deletes any text files on the directory, else ends.

I ran simple tests, and it's a viable workaround. Now I just have to apply the bits learned and expand it out until the project is complete.

pl3bs
  • 25
  • 3