Recently when the data center of a server I administer needed to change the IP of the box I would’ve needed to make the corresponding DNS change on our DNS server. I knew wasn’t going to be available at the time when the routing change was to occur. Since I didn’t want there to be a service outage I set up a system event that could be triggered from a password-protected web page (on the same server). Here’s a quick outline of the procedure:

  1. I created a shell script file /usr/local/sbin/webaction (this was created for a FreeBSD machine, though with minor adaptations it should work on any UNIX/Linux system), made sure it’s owned by “root:wheel” and set the permissions to 700 (user read/write/execute; could be also 500 for read/execute only, but that makes little difference as root will be able to write either way).  In the case of this script, it copies the new DNS zone files in place of the old ones and restarts the DNS server. If executed multiple times, it won’t do any damage or mess things up (this is important since it’s triggered by an external user who doesn’t know what the internal workings of the procedure are).
  2. Using “visudo” command I added sudo execute-without-password privileges to that file for the user that Apache httpd runs under:

    Cmnd_Alias WEBCMNDS = /usr/local/sbin/webaction
    httpduser ALL= NOPASSWD: WEBCMNDS

  3. I created a PHP command file in a web-accessible directory protected with .htpasswd (I added the password directly into Apache configuration). The PHP file simply executes the command with sudo as it is allowed to do, and displays a message to the user:

    <html>
    <body>
    <?php
    $command = “/usr/local/bin/sudo /usr/local/sbin/webaction”;
    exec($command);
    ?>
    DNS update complete
    </body>
    </html>

Done! Now when the ISP is ready to make the routing change, they simply point their browser to the URL I provided to them, enter the username/password, and the PHP file executes the shell script through sudo. Since the shell script is created so that it won’t make a mess of things if executed multiple times, and since no parameters can be passed from the web-interface to the shell-script, things are fairly secure. Obviously this kind of setup is not appropriate in every setting, but for systems with limited CLI user base it is a handy trick.