web前端linux,Linux Web前端最佳實踐

I want to build a web based front-end to manage/administer my Linux box. E.g. I want to be able to add users, manage the file system and all those sorts of things. Think of it as a cPanel clone but more for system admin rather that web admin.

我想構建一個基於Web的前端來管理/管理我的Linux機器。例如。我希望能夠添加用戶,管理文件系統和所有這些事情。可以把它想象成一個cPanel克隆,但更多的是系統管理員而不是網絡管理員。

I was thinking about creating a service that runs on my box and that performs all the system levels tasks. This way I can have a clear separation between my web based front-end and the actual logic. The server pages can than make calls to my specialized server or queue tasks that way. However, I'm not sure if this would be the best way to go about this.

我正在考慮創建一個在我的盒子上運行並執行所有系統級別任務的服務。通過這種方式,我可以清楚地分離基於Web的前端和實際邏輯。服務器頁面可以通過這種方式調用我的專用服務器或隊列任務。但是,我不確定這是不是最好的方法。

I guess another important question would be, how I would deal with security when building something like this?

我想另一個重要的問題是,在構建這樣的東西時我將如何處理安全問題?

PS: This just as a pet project and learning experience so I'm not interested in existing solutions that do a similar thing.

PS:這只是一個寵物項目和學習經歷,所以我對做類似事情的現有解決方案不感興趣。

2 个解决方案

#1

1

Have the specialized service daemon running as a distinct user -- let's call it 'managerd'. Set up your /etc/sudoers file so that 'managerd' can execute the various commands you want it to be able to run, as root, without a password.

讓專門的服務守護進程作為一個獨特的用戶運行 - 讓我們稱它為'managerd'。設置/ etc / sudoers文件,以便'managerd'可以在沒有密碼的情況下以root身份執行您希望它能夠運行的各種命令。

Have the web server drop "trigger" files containing the commands to run in a directory that is mode '770' with a group that only the web server user and 'managerd' are members of. Make sure that 'managerd' verifies that the files have the correct ownership before executing the command.

讓Web服務器刪除“觸發器”文件,其中包含要在模式為“770”的目錄中運行的命令,其中只有Web服務器用戶和“managerd”是其成員的組。確保'managerd'在執行命令之前驗證文件是否具有正確的所有權。

Make sure that the web interface side is locked down -- run it over HTTPS only, require authentication, and if all possible, put in IP-specific ACLs, so that you can only access it from known locations, in advance.

確保Web界面已鎖定 - 僅通過HTTPS運行,需要身份驗證,如果可能,請放入特定於IP的ACL,以便您只能提前從已知位置訪問它。

#2

1

Your solution seems like a very sensible solution to the 'root' issue.

您的解決方案似乎是解決“根”問題的一個非常明智的解決方案。

Couple of suggestions:

幾點建議:

Binding the 'specialised service' to localhost as well would help to guarantee that requests can't be made externally.

將“專用服務”綁定到localhost也有助於保證不能在外部進行請求。

Checking request call functions that perform the actions and not directly give the service full unrestricted access. So calling a function "addToGroup(user,group)" instead of a generic "performAction(command)".

檢查執行操作的請求調用函數,而不是直接為服務提供完全不受限制的訪問。因此調用函數“addToGroup(user,group)”而不是通用的“performAction(command)”。