NYCPHP Meetup

[nycphp-talk] system commands and backups

Rolan rolan at omnistep.com
Tue Mar 4 23:32:23 EST 2003


1) create some shell scripts that do specifically what you want. 
(tar/gzip up directories?)
2) configure sudo so that those scripts can be run as another user 
(authorized to be executable by "nobody")
3) call the scripts from within php.

As always, your script should perform strict sanity checks before 
passing data to the "system call".

~Rolan

Mark Armendariz wrote:

>Actaully, the security concerns you're mentioning is the primary reason
>for my shout to the group.  I really want to offer a good solution, but
>it seems like it leaves a pretty wide hole open.  
>
>Anyone else know of ways to run special user privileged commands with
>half the fat?
>
>Thanks George.
>
>Mark
>
>  
>
>>-----Original Message-----
>>From: George Webb [mailto:gw.nyphp at gwprogramming.com] 
>>Sent: Tuesday, March 04, 2003 7:50 PM
>>To: NYPHP Talk
>>Subject: Re: [nycphp-talk] system commands and backups
>>
>>
>>    
>>
>>>Is there a way to allow a php script to run
>>>shell commands as an admin or specific user?
>>>      
>>>
>>Hi Mark.  I have done this, but before anyone would want
>>to do so, they should recognize the security risks involved.
>>It may be a convenience versus security issue, wherein you
>>may accidentally allow all of your web users (possibly
>>everyone in the world?) to access anything that your user
>>(or worse yet, your 'root' user) can.
>>
>>	So I hope you already know all about that.  Now,
>>to answer your question, you may be able to set the "setuid" 
>>bit on your PHP CGI executable, together with changing the 
>>ownership of the executable itself.  Then you can associate 
>>certain files or directories to use *this* PHP CGI handler 
>>instead of the default (apache module PHP, correct?).
>>
>>	For example, if you want all files ending in '.uphp'
>>to be executed by your special set-user PHP, you might do the 
>>following, which will allow *.php files to be executed 
>>normally, but *.uphp files will be executed by user 'marka' 
>>(or whatever):
>>
>>	1/ Add the following Apache .htaccess lines:
>>
>>Options +ExecCGI
>>AddType cgi-script .cgi
>>Action user-php /php.cgi
>>AddHandler user-php .uphp
>>
>>	2/ Copy your PHP 4.3.1 or later CGI binary to
>>your webserver root, and rename it as described above (php.cgi).
>>
>>	3/ Change the ownership as appropriate, and
>>set the setuid bit:
>>
>>chown marka php.cgi
>>chmod u+s php.cgi
>>
>>	4/ Sit back and wait to be hacked!
>>
>>
>>	One other nice thing is that this PHP parser can
>>have its own php.ini file, which may be different from the
>>one the rest of the webserver uses!
>>
>>	Maybe some other better sysadmins can comment on
>>how to make this setup more secure.  Like these ideas:
>>
>>	1/ Run a separate httpd server on a special port
>>using this special configuration.
>>
>>	2/ Restrict the special port using a firewall or
>>ipchains or whathaveyou.
>>
>>	3/ chroot the filesystem for this special config,
>>so that your whole machine won't get hacked.
>>
>>
>>	Another approach (which maybe I should have mentioned
>>first) is to use 'sudo' to allow your 'nobody' user to do 
>>only certain special tasks.
>>
>>	If your webserver is on a totally private network and
>>you're not worried about system security, you can do a lot 
>>more. But if it's on the Internet, be aware!!!
>>
>>Best, George.
>>
>>
>>George Webb
>>gw.nyphp at gwprogramming.com
>>
>>
>>
>>
>>
>>
>>
>>
>>    
>>
>
>
>
>
>--- Unsubscribe at http://nyphp.org/list/ ---
>
>
>
>  
>




More information about the talk mailing list