I need to be able to update the scheduled run times for various jobs from a web page and I am looking for a secure way to do it on a Red Hat Enterprise Linux system. Obviously editing the crontab file directly is a no-no and we limit PHP access to its application directory anyway. Best I can can come up with is to create the updated file in the application directory (one level below webroot) then sudo exec a script that validates the file and moves it into the cron.d directory. Is this secure or is there a better way to do it?
我需要能够从网页更新各种作业的预定运行时间,我正在寻找一种在Red Hat Enterprise Linux系统上执行此操作的安全方法。显然直接编辑crontab文件是禁止的,我们无论如何都限制了对其应用程序目录的PHP访问。我能想到的最好的方法是在应用程序目录(webroot下面一层)创建更新的文件,然后sudo执行一个验证文件并将其移动到cron.d目录的脚本。这是安全还是有更好的方法吗?
Thanks
Mark
3 个解决方案
#1
0
How about using the crontab
command? You could create a file in /tmp called newcronjobs.txt with the cron entries you want to add. And the call crontab /tmp/newcronjobs.txt
This should add all of the new jobs. I would assume this is pretty secure but just a thought.
使用crontab命令怎么样?您可以在/ tmp中创建一个名为newcronjobs.txt的文件,其中包含您要添加的cron条目。并调用crontab /tmp/newcronjobs.txt这应该添加所有新的作业。我认为这是非常安全的,但只是一个想法。
#2
1
Your best bet would be to find one of the various crontab packages out there that are basically some scripts that emulate crontab. Unless you have the ability to install something like CPanel or Plesk.
你最好的选择是找到一个各种crontab包,其中基本上是一些模拟crontab的脚本。除非你能够安装像CPanel或Plesk这样的东西。
#3
0
To me, this seems like a huge security hole and I definitely wouldn't recommend writing either directly or indirectly to crontab. Should you somehow overlook even one small part of securing the "validators" you mention above, a malicious user would easily be able to compromise your entire server.
对我来说,这似乎是一个巨大的安全漏洞,我绝对不会建议直接或间接写入crontab。如果您在某种程度上忽略了保护上面提到的“验证器”的一小部分,恶意用户很容易就会破坏整个服务器。
Follow Jim's solution and use some sort of framework if possible; hopefully open source and under active development by multiple developers.
遵循Jim的解决方案并尽可能使用某种框架;希望开源并由多个开发人员积极开发。
If all of the processes to be added are similar, I would recommend an alternative, such as creating a cron job that will execute one specific script as a non-privileged user every lowest common denominator number of minutes and add all the functionality to execute the other processes to this one file and make sure you hard code as much as possible and rely as little as possible on user input and make sure you escape everything that the user inputs.
如果要添加的所有进程都相似,我建议使用另一种方法,例如创建一个cron作业,该作业将作为非特权用户执行一个特定脚本,每个最小公分母分钟数,并添加所有功能以执行这个文件的其他进程,并确保尽可能多的硬编码,并尽可能少地依赖用户输入,并确保您逃避用户输入的所有内容。
#1
0
How about using the crontab
command? You could create a file in /tmp called newcronjobs.txt with the cron entries you want to add. And the call crontab /tmp/newcronjobs.txt
This should add all of the new jobs. I would assume this is pretty secure but just a thought.
使用crontab命令怎么样?您可以在/ tmp中创建一个名为newcronjobs.txt的文件,其中包含您要添加的cron条目。并调用crontab /tmp/newcronjobs.txt这应该添加所有新的作业。我认为这是非常安全的,但只是一个想法。
#2
1
Your best bet would be to find one of the various crontab packages out there that are basically some scripts that emulate crontab. Unless you have the ability to install something like CPanel or Plesk.
你最好的选择是找到一个各种crontab包,其中基本上是一些模拟crontab的脚本。除非你能够安装像CPanel或Plesk这样的东西。
#3
0
To me, this seems like a huge security hole and I definitely wouldn't recommend writing either directly or indirectly to crontab. Should you somehow overlook even one small part of securing the "validators" you mention above, a malicious user would easily be able to compromise your entire server.
对我来说,这似乎是一个巨大的安全漏洞,我绝对不会建议直接或间接写入crontab。如果您在某种程度上忽略了保护上面提到的“验证器”的一小部分,恶意用户很容易就会破坏整个服务器。
Follow Jim's solution and use some sort of framework if possible; hopefully open source and under active development by multiple developers.
遵循Jim的解决方案并尽可能使用某种框架;希望开源并由多个开发人员积极开发。
If all of the processes to be added are similar, I would recommend an alternative, such as creating a cron job that will execute one specific script as a non-privileged user every lowest common denominator number of minutes and add all the functionality to execute the other processes to this one file and make sure you hard code as much as possible and rely as little as possible on user input and make sure you escape everything that the user inputs.
如果要添加的所有进程都相似,我建议使用另一种方法,例如创建一个cron作业,该作业将作为非特权用户执行一个特定脚本,每个最小公分母分钟数,并添加所有功能以执行这个文件的其他进程,并确保尽可能多的硬编码,并尽可能少地依赖用户输入,并确保您逃避用户输入的所有内容。