Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allowing PHP to execute a bash script with root permissions

Tags:

bash

php

exec

root

how to allow a PHP script to execute a bash script with root permissions?

Let's say there is a PHP script...

<?php
// location: /var/www/script.php
exec("bash /var/scripts/test.sh"); // "sudo bash ..." does not work
?>

and a bash script ...

#!/bin/bash
# location: /var/scripts/test.sh
sudo mkdir /test

Of course PHP and Apache should not run as root and at best only the script can be executed with root permissions. Any ideas?

Best regards, Jimbo

like image 850
Jimbo Avatar asked Nov 12 '10 19:11

Jimbo

2 Answers

Any PHP-based solution that gives root rights at some point of the chain is dangerous: An attacker with access to the PHP user could gain access to the root user, and that is unacceptable from a security point of view.

I have never implemented this myself, but I'll suggest what I suggested here: Have a script/cron job with root rights frequently scan some location for a sign from the PHP script that a job is to be done - for example, a file with a certain name, or an entry in a jobs database.

If that file is found to exist, the root script does its thing, and removes the file again.

If your PHP script doesn't need direct response from the root script, I think this would be the best way to go. (A response could also be facilitated by the root script writing a status message into the file, of course).

As long as you closely limit what kinds of jobs PHP can write for the root script to do, this is a watertight solution, as it doesn't get the root user into PHP's business.

like image 104
Pekka Avatar answered Sep 21 '22 20:09

Pekka

If don't want wait for cron, here is a simple wrapper in C, what you will call from php.

#include <unistd.h>
#include <errno.h>
#define WEBUID 500
main( int argc, char ** argv, char ** envp ) {
    if( getuid() != WEBUID ) exit(1);
    /* some more security checks */
    if( setuid(geteuid()) ) perror( "setuid error" );
    envp = 0; /* don't want environment - security problem */
    system( "/hardcoded/path/to/script.bash", argv, envp );
}

This compiled wrapper should be owned as root, group "www" and should have "s-bit".
chwon root.www wrapper; chmod 4440 wrapper, so

  • when is executed his effective UID will be root
  • execute it can only group www (web-server's group)
  • and when the UID of the caller is not a web-server will exit
like image 22
jm666 Avatar answered Sep 23 '22 20:09

jm666
Sign in to Comment

Related questions

How can i use HTML5 local storage along side PHP, use that for php sessions, and store other information that php uses
html_entity_decode() isn't working properly?
How to use the explode function in PHP using 2 delimeters instead of 1?
PHP: Using scandir(), folders are treated as files
images in Zend Framework layout
Array diff of specific key within multi-dimensional array
Oracle/PHP - ORA-00911 invalid character on UPDATE
php : SEO friendly urls
setlocale() returns false
How to decode eval( gzinflate( base64_decode(
Why do we need this special === operator?
Save array as xml
Underscore method prefix
Error: Allowed memory size of 67108864 bytes exhausted
Apple Push Notification Service with PHP Script
PHP get days between start-date and end-date
What is the PHP equivalent of Javascript's Date.UTC command?
Is there a PHP Array Group By function?
Determine if UTF-8 text is all ASCII?
Issue with PHP mcrypt function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!