NYCPHP Meetup

NYPHP.org

[nycphp-talk] system commands and backups

George Webb gw.nyphp at gwprogramming.com
Tue Mar 4 19:49:31 EST 2003 

> Is there a way to allow a php script to run
> shell commands as an admin or specific user?

Hi Mark.  I have done this, but before anyone would want
to do so, they should recognize the security risks involved.
It may be a convenience versus security issue, wherein you
may accidentally allow all of your web users (possibly
everyone in the world?) to access anything that your user
(or worse yet, your 'root' user) can.

	So I hope you already know all about that.  Now,
to answer your question, you may be able to set the "setuid"
bit on your PHP CGI executable, together with changing the
ownership of the executable itself.  Then you can associate
certain files or directories to use *this* PHP CGI handler
instead of the default (apache module PHP, correct?).

	For example, if you want all files ending in '.uphp'
to be executed by your special set-user PHP, you might do the
following, which will allow *.php files to be executed normally,
but *.uphp files will be executed by user 'marka' (or whatever):

	1/ Add the following Apache .htaccess lines:

Options +ExecCGI
AddType cgi-script .cgi
Action user-php /php.cgi
AddHandler user-php .uphp

	2/ Copy your PHP 4.3.1 or later CGI binary to
your webserver root, and rename it as described above
(php.cgi).

	3/ Change the ownership as appropriate, and
set the setuid bit:

chown marka php.cgi
chmod u+s php.cgi

	4/ Sit back and wait to be hacked!


	One other nice thing is that this PHP parser can
have its own php.ini file, which may be different from the
one the rest of the webserver uses!

	Maybe some other better sysadmins can comment on
how to make this setup more secure.  Like these ideas:

	1/ Run a separate httpd server on a special port
using this special configuration.

	2/ Restrict the special port using a firewall or
ipchains or whathaveyou.

	3/ chroot the filesystem for this special config,
so that your whole machine won't get hacked.


	Another approach (which maybe I should have mentioned
first) is to use 'sudo' to allow your 'nobody' user to do only
certain special tasks.

	If your webserver is on a totally private network and
you're not worried about system security, you can do a lot more.
But if it's on the Internet, be aware!!!

Best, George.


George Webb
gw.nyphp at gwprogramming.com

More information about the talk mailing list