Using sudoers to allow php to run command

shell sudo php raspberry-pi

Solution 1

Your sudoers line is correct in that it only allows www-data to execute the one command as root. The php syntax looks mostly correct (you are validating $num to make sure it is a number? miscellaneous symbols can do real damage here. see http://us3.php.net/manual/en/function.escapeshellcmd.php ) The two things that you didn't mention was which apache mpm are you using, and are you running php in safe mode. shell_exec does not work in safe mode, and it uses fork which may not work with all mpm's. I would recommend using the prefork mpm.

Solution 2

Yes, I think that it's a really bad idea to add the apache user www-data to the list of sudoers, especially because you include a variable $num inside your code that could seriously harm your server if wrongly injected (especially if used by a sudoer user).

I would suggest instead to create a new group, to add www-data to that group and to assign /home/xbian/433Utils/RPi_utils/codesend to the group. Then, give permissions to codesend to be executed by all members of that group; you should not be asked for any password and your system will be secure.

user5243421

Updated on September 18, 2022

Comments

user5243421 over 1 year
I have an Activity that should only get created once. That is, onCreate can only be called once. If it's called again, I want the Activity to do nothing.

Is it advisable to do the following?
```
protected void onCreate(Bundle savedInstanceState) {
    this.setTheme(android.R.style.Theme_Translucent_NoTitleBar_Fullscreen);
    super.onCreate(savedInstanceState);

    if(onCreateWasCalledAlreadyBoolean) {
        setResult(RESULT_OK);
        finish();
        return;
    }

    //Do other stuff here
}
```
- Rahul Patil over 10 years
  
  You can troubleshoot the issue using : shell_exec("sudo /home/xbian/433Utils/RPi_utils/codesend {$num} >/tmp/debug.log 2>&1");
- Stoopkid over 10 years
  
  I get wiringPiSetup: Must be root. (Did you forget sudo?) which is the same as if I try doing it in the command line without sudo. edit whoops, that was with sudo taken out. When I put it back in a get a normal output, the program tells me that it is sending the code. But it simply doesn't work.
Stoopkid over 10 years

This doesn't seem to work. I made a new group, added www-data to it, change the group of the file to this new one, and set the file permissions so that they could all execute it... This codesend program required sudo because of a dependent library, is this supposed to deal with that?
hildred over 10 years

@edoardo849 Your solution is less secure than using a properly setup sudo. sudo can be set up to allow a user to only execute one command.
forcefsck almost 10 years

This isn't more secure than the sudo approach. Both cases allow any web server process to execute a specific script.
dotancohen almost 10 years

Why is prefork preferred? So long as the system supports thread-safe polling then 'event' is the default MPM. What advantages would switching to 'prefork' achieve?
hildred almost 10 years

@dotancohen sudo cgi requires a fork (unless you are using fcgi or similar) which may break threading which breaks several MPMs. There are special workarounds to get mod_cgi to work with event_mpm, but I do not know if they have been ported to mod_php. It is known to work with prefork. (and the bandwidth usage on most sudo applications is not an issue)