NYCPHP Meetup

[nycphp-talk] system commands and backups

Weston Houghton ucsu at anapraxis.com
Tue Mar 4 20:05:39 EST 2003


Well, as of PHP 4.3 you have a command-line interface to PHP. As such  
it becomes much easier to run a php script as a specific user. The  
question then becomes do you need a web interface for it?

Wes


On Tuesday, March 4, 2003, at 07:49  PM, George Webb wrote:

>> Is there a way to allow a php script to run
>> shell commands as an admin or specific user?
>
> Hi Mark.  I have done this, but before anyone would want
> to do so, they should recognize the security risks involved.
> It may be a convenience versus security issue, wherein you
> may accidentally allow all of your web users (possibly
> everyone in the world?) to access anything that your user
> (or worse yet, your 'root' user) can.
>
> 	So I hope you already know all about that.  Now,
> to answer your question, you may be able to set the "setuid"
> bit on your PHP CGI executable, together with changing the
> ownership of the executable itself.  Then you can associate
> certain files or directories to use *this* PHP CGI handler
> instead of the default (apache module PHP, correct?).
>
> 	For example, if you want all files ending in '.uphp'
> to be executed by your special set-user PHP, you might do the
> following, which will allow *.php files to be executed normally,
> but *.uphp files will be executed by user 'marka' (or whatever):
>
> 	1/ Add the following Apache .htaccess lines:
>
> Options +ExecCGI
> AddType cgi-script .cgi
> Action user-php /php.cgi
> AddHandler user-php .uphp
>
> 	2/ Copy your PHP 4.3.1 or later CGI binary to
> your webserver root, and rename it as described above
> (php.cgi).
>
> 	3/ Change the ownership as appropriate, and
> set the setuid bit:
>
> chown marka php.cgi
> chmod u+s php.cgi
>
> 	4/ Sit back and wait to be hacked!
>
>
> 	One other nice thing is that this PHP parser can
> have its own php.ini file, which may be different from the
> one the rest of the webserver uses!
>
> 	Maybe some other better sysadmins can comment on
> how to make this setup more secure.  Like these ideas:
>
> 	1/ Run a separate httpd server on a special port
> using this special configuration.
>
> 	2/ Restrict the special port using a firewall or
> ipchains or whathaveyou.
>
> 	3/ chroot the filesystem for this special config,
> so that your whole machine won't get hacked.
>
>
> 	Another approach (which maybe I should have mentioned
> first) is to use 'sudo' to allow your 'nobody' user to do only
> certain special tasks.
>
> 	If your webserver is on a totally private network and
> you're not worried about system security, you can do a lot more.
> But if it's on the Internet, be aware!!!
>
> Best, George.
>
>
> George Webb
> gw.nyphp at gwprogramming.com
>
>
> --- Unsubscribe at http://nyphp.org/list/ ---
>
>
>
>

------------------------------------------------------------------------ 
---
The selection and placement of letters on this page was
determined automatically by a computer program. Any
resemblance to actual words, sentences, or paragraphs is
pure coincidence, and no liability will be assumed for
such coincidences.
------------------------------------------------------------------------ 
---




More information about the talk mailing list