NYCPHP Meetup

NYPHP.org

[nycphp-talk] Can't do PHP 'exec' for an rsync command via web server

David Roth davidalanroth at gmail.com
Tue Jun 26 02:19:01 EDT 2012 

That a good tutorial. I've been using rsync with ssh successfully for a
numbers of years in shell scripts and cron jobs, but not through exec or
system in PHP until now. Which is why it was so frustrating that it wasn't
working with PHP, when I never had problems with rsync/ssh before.

Greg also brings up a good point about security. For me, this is an
in-house server behind a firewall and while I expected to put it in the
DMZ, I've found that's a bad idea, because one afternoon after placing it
in the DMZ I saw in the logs a few of bots trying to break in and do nasty
stuff. So if someone needs access to anything, I put it on an external
hosting service where they are better equipped to handle bot attacks. I
came to this conclusion after a Linux Admin told me he spends time each day
checking for attempted break-ins and blacklisting bots.

Am I asking for trouble by creating ssh keys for apache user under
these circumstances, I certainly hope not, but I've not found an acceptable
work-around. It was mentioned to me that I could also do something with
iptables, but I've not had the time to check it out.

David Roth

On Mon, Jun 25, 2012 at 2:51 PM, Greg Rundlett (freephile) <
greg at freephile.com> wrote:

> Although it's a bit confusing, the man page for rsync describes how to
> invoke SSH to as your remote shell, and the manpage for SSH describes how
> to do key-based authentication.  Taken together, these methods can help
> when a normal user environment is not present (e.g. in a web script, or
> from cron).  This webpage offers a good explanation of HOWTO
> http://troy.jdmz.net/rsync/index.html
>
> Greg Rundlett
>
>
>
> On Mon, Jun 25, 2012 at 1:14 PM, Daniel Convissor <
> danielc at analysisandsolutions.com> wrote:
>
>> Hi David:
>>
>> > It was very wise of Hans to also recommend to create
>> > /home/apache instead of using the default /var/www because a nasty user
>> > could have easily accessed the .ssh directory there and gotten the
>> > public/private keys, and the known hosts.
>>
>> Well, they still do.  Though the attacker would have to be able to
>> add/edit a script on your server, putting in code that reads the
>> files from the /home/apache dir.
>>
>> --Dan
>>
>> --
>>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>>            data intensive web and database programming
>>                http://www.AnalysisAndSolutions.com/
>>        4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335
>> _______________________________________________
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120626/2a3361a4/attachment.html>

More information about the talk mailing list