I'm building a control panel in PHP. This CP will manage Linux users, their screen sessions and files.

I want to list all approaches and choose the most secure way which will be comfortable for user too.

Broad sudoers file (VERY dangerous!)

/etc/sudoers

wwwuser ALL = NOPASSWD: ALL

This allows any command to be run via www server user. It's security nightmare.

Pros

• All commands are available

Cons

• All commands are available

Wrapper scripts

/etc/sudoers

wwwuser ALL = NOPASSWD: /path/to/scripts/scripts/

This method uses small bash scripts with only few lines. Unfortunately those scripts must take arguments increasing attack surface. For example this script create new user

#/bin/bash useradd $1 -s /bin/bash

I can't list all allowed usernames so I must use args.

Pros

• Only whitelisted commands are allowed if script is called with escapeshellarg()
• Gives elasticity for created usernames, folders etc.

Cons

• Modifying arguments via enduser is imposible eg. for running java applications in screen.

Queue running as root user

In this method all commands that need root rights, are sent to queue. Queue daemon runs as root so it can create users etc.

Pros

• Lower attack surface than allowing wwwuser to run any command
• Elastic arguments to run or filenames to create are no longer a problem

Cons

• Security is mostly dependent on application itself