How can I have a PHP script run a shell script as root?

php scripting permissions shell sudo
18,095

Solution 1

You can't just sudo like that, you need to setup passwordless sudo first in /etc/sudoers file. This can be done with visudo command for example. Make sure you set up privileges in sudoers file in such way to constrain the apache user to that single command you wish to run (i.e. your shell script).

Even then, it poses a security risk, because anyone could create a PHP script and run your shell script in turn. So make sure that shell script itself is secure from alteration by Apache user.

The second part, killall, is even more problematic. You shouldn't just allow Apache to run killall with root privileges. You should wrap killall in another shell script and grant access to that in sudoers.

In the end: do not run Apache with root account and do not use setuid. Both open a can of worms, and since you are a newbie (given the question you asked) you are very likely to miss some of small details that would create potential problems.

Solution 2

  1. Don't run Apache as root. Apache has been designed to cope very well with starting as root and then dropping its privileges just as soon as it can

  2. Don't use sudo within your script either - it'll be too easy to end up with sudo misconfigured such that any script running on your server gets to run any program it likes with root privileges

  3. Look at making your own program run "setuid", so that it gets root privileges, but then drops them (just like Apache does) when it doesn't need them any more

  4. Make sure your "setuid" executable can't be run by anybody who isn't supposed to be able to run it.

Solution 3

I'm not professional in this field, but it looks like you need SUID flag.

Read here for examples or google

Solution 4

You need a layer of abstraction to provide a little security at least!...

The way I do this is to write a simple UDP server* with root privs in Python which: watches out for incoming UDP packets on a given port compares them to a whitelist if they match carry out the operation

You then have a little bit of PHP that messages the Python server with pre-defined messages...

<?php
  $handle = fsockopen("udp://localhost",12345);
  fwrite($handle,"Start Script");
  fclose($handle);
?>

The python server watches for packets on port 12345 but just ignores any that aren't either "Start Script" or "Stop Script", as it runs as root it can happily start your bash script. You ABSOLUTELY MUST use white-listing though, it is REALLY NOT SAFE to send ANY input from a UDP socket to the command line directly!

Do note that UDP can be spoofed so if your firewall permits spoofed inbound traffic (it realy ought not to!) someone could send forged packets to your Python server and stop/start your service. This is unlikely to be a problem but if you can't fix your firewall and you want to guard against it you could rework the above using TCP/IP which can't be spoofed.

Roger Heathcote.

*It's a really trivial server to write ( ~20 lines ) but if you don't know how to then just message me and I will send it to you or post it here.

Solution 5

You don't want to give Apache root.

There's another solution to your problem. The problem is that Apache cannot kill the process because it is owned by root. What you can do is change the owner to 'www-data' which is what Apache is identified as.

If the process is a service and starts up on boot you can add the 

sudo -u www-data <start-up script>

so that www-data would be the owner of that process and hence running the shut-down script would work.

Share:
18,095
John B
Author by

John B

I'm a Web Developer working... um... here! YES, STACK OVERFLOW!!! I've been on the Ads Dev Team for about a year, and was on the Internal Dev Team for a few years before that. I specialize in C# and JavaScript but I dabble in many other languages. Check out my blog: Johnny Code Check out Stuff My Kids Said

Updated on June 05, 2022

Comments

  • John B
    John B almost 2 years

    Running Fedora 9/10, Apache 2, PHP 5...

    Can I run a shell script as root, from a PHP script using exec()?

    Do I just give Apache root priveleges, and then add "sudo" in front of them command?

    Specifically, I'm trying to start and stop a background script.

    Currently I have a shell script that just runs the app, start.sh:

    #!/bin/bash 
/path/to/my/app/appname

    And a script that kills the app, stop.sh:

    #!/bin/bash 
killall appname

    Would I just do:

    <?php
exec("sudo start.sh");
?>

    Thanks in advance.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Execute shell script from php, as root user?
sudo echo "something" >> /etc/privilegedFile doesn't work
Remove files from a root-owned directory using sudo with wildcards
Using sudoers to allow php to run command
Cannot expand asterisk without proper permission
Redirecting stdout to a file you don't have write permission on
Execute a shell script in current shell with sudo permission
Open file or application as root from GUI
Access Denied - S3 resource using Pre Signed URL - PHP SDK
file_put_contents php permissions