Raphael Mankin wrote:
Sudo is purely for interactive use: it requires you to type a password. Suexec is for CGIs; it *might* work for ErrorDocument. However as I said before, suid scripts and the prospect of hackers are not a combination that apppeals to me under any circumstances.
If you are determined to do this sort of thing fully automatically write the naughty IPs to a file that is owned by the Apache process, and have a daemon that periodically inspects the file and adds its contents to the iptables/ipchains blocking list.
...a hacker who managed to become the 'apache' user would have the same power in both cases... except that in the latter it might take a little while before they took any effect... the downside of course being that it would take longer for a 'real worm' to be blocked.
Whats the problem here with sudo? ...an entry would be added to /etc/sudoers that specifies the apache user and one script it can run... /etc/sudoers and the script would both be unchangeable by the apache user, so I don't see how adding this 'sudoer' entry would make things any worse (assuming that said hacker has gotten in as the apache user by some other means).
Neil