NYCPHP Meetup

[nycphp-talk] system commands and backups

Mark Armendariz nyphp at enobrev.com
Tue Mar 4 20:08:31 EST 2003


They are asking for a web interface, but I suppose I could just allow
for settings changes within the interface, while the script uses those
settings to make things happen.  OF course I'll also have to see what
their upgrade schedule is.

Thanks..

Mark

> -----Original Message-----
> From: Weston Houghton [mailto:ucsu at anapraxis.com] 
> Sent: Tuesday, March 04, 2003 8:06 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] system commands and backups
> 
> 
> 
> Well, as of PHP 4.3 you have a command-line interface to PHP. 
> As such  
> it becomes much easier to run a php script as a specific user. The  
> question then becomes do you need a web interface for it?
> 
> Wes
> 
> 
> On Tuesday, March 4, 2003, at 07:49  PM, George Webb wrote:
> 
> >> Is there a way to allow a php script to run
> >> shell commands as an admin or specific user?
> >
> > Hi Mark.  I have done this, but before anyone would want
> > to do so, they should recognize the security risks 
> involved. It may be 
> > a convenience versus security issue, wherein you may accidentally 
> > allow all of your web users (possibly everyone in the world?) to 
> > access anything that your user (or worse yet, your 'root' user) can.
> >
> > 	So I hope you already know all about that.  Now,
> > to answer your question, you may be able to set the "setuid" bit on 
> > your PHP CGI executable, together with changing the 
> ownership of the 
> > executable itself.  Then you can associate certain files or 
> > directories to use *this* PHP CGI handler instead of the default 
> > (apache module PHP, correct?).
> >
> > 	For example, if you want all files ending in '.uphp'
> > to be executed by your special set-user PHP, you might do the 
> > following, which will allow *.php files to be executed 
> normally, but 
> > *.uphp files will be executed by user 'marka' (or whatever):
> >
> > 	1/ Add the following Apache .htaccess lines:
> >
> > Options +ExecCGI
> > AddType cgi-script .cgi
> > Action user-php /php.cgi
> > AddHandler user-php .uphp
> >
> > 	2/ Copy your PHP 4.3.1 or later CGI binary to
> > your webserver root, and rename it as described above (php.cgi).
> >
> > 	3/ Change the ownership as appropriate, and
> > set the setuid bit:
> >
> > chown marka php.cgi
> > chmod u+s php.cgi
> >
> > 	4/ Sit back and wait to be hacked!
> >
> >
> > 	One other nice thing is that this PHP parser can
> > have its own php.ini file, which may be different from the one the 
> > rest of the webserver uses!
> >
> > 	Maybe some other better sysadmins can comment on
> > how to make this setup more secure.  Like these ideas:
> >
> > 	1/ Run a separate httpd server on a special port
> > using this special configuration.
> >
> > 	2/ Restrict the special port using a firewall or
> > ipchains or whathaveyou.
> >
> > 	3/ chroot the filesystem for this special config,
> > so that your whole machine won't get hacked.
> >
> >
> > 	Another approach (which maybe I should have mentioned
> > first) is to use 'sudo' to allow your 'nobody' user to do 
> only certain 
> > special tasks.
> >
> > 	If your webserver is on a totally private network and
> > you're not worried about system security, you can do a lot 
> more. But 
> > if it's on the Internet, be aware!!!
> >
> > Best, George.
> >
> >
> > George Webb
> > gw.nyphp at gwprogramming.com
> >
> >
> > 
> >
> >
> >
> >
> 
> --------------------------------------------------------------
> ---------- 
> ---
> The selection and placement of letters on this page was 
> determined automatically by a computer program. Any 
> resemblance to actual words, sentences, or paragraphs is pure 
> coincidence, and no liability will be assumed for such coincidences.
> --------------------------------------------------------------
> ---------- 
> ---
> 
> 
> 
> --- Unsubscribe at http://nyphp.org/list/ ---
> 
> 
> 
> 
> 





More information about the talk mailing list