Need to run command as root

Forum Moderators: coopster

Message Too Old, No Replies

Need to run command as root

DrDoc

6:34 pm on Nov 1, 2004 (gmt 0)

PHP is run as user

nobody

for obvious reasons. However, I need to be able to run certain system commands from within a PHP script. These commands require being run as root. Is there a way I can force root for these commands, or am I left with no other option than to add a script to the server crontab (for root) which runs constantly?

dcheney

6:44 pm on Nov 1, 2004 (gmt 0)

There used to be a decent freeware thing called "sudo", not sure if its still around or how many OS's it supports - but that might do the trick for you. But be careful - anytime you let scripts have root access there is a potential for a big security mess.

jatar_k

7:14 pm on Nov 1, 2004 (gmt 0)

>> add a script to the server crontab

that's the way I've always done it

jollymcfats

8:27 pm on Nov 1, 2004 (gmt 0)

One technique is called a "setuid wrapper". You call a binary that's setuid root, and that binary in turn runs the commands you need run as root.

A setuid Perl script is perhaps the simplest way to do this, plus you get all of Perl's handy regex support for verifying input before you run.

jezra

10:49 pm on Nov 1, 2004 (gmt 0)

In theory this should work, however I haven't tested it yet and your milage may vary. This will require sudo.
www or nobody(depending on your system) needs to be added to the sudoers list for this to work.
Once www is added to the sudoers list the following code should do what you want

$result = shell_exec("echo YOUR_ROOT_PASSWORD � sudo COMMAND_TO_RUN_AS_ROOT");

as has been mentioned, there are major security issues with this script, and i don't recommend using it.

jollymcfats

11:13 pm on Nov 1, 2004 (gmt 0)

That could be made much simpler by setting up sudo to not require a password for the web user.

Actually, you could also limit the sudo privleges to a single command, say a script that runs everything you need to do. You'd have something a bit more secure than a setuid wrapper script.

StupidScript

12:03 am on Nov 2, 2004 (gmt 0)

FYI: "sudo" is a program that gets its permissions instructions from a file called "sudoers" on many Linux systems (don't know the full supported OS list, but RH7 does not have it while RH9 does). Using the command "visudo" as root you can add faux root groups/users, and describe the root-restricted processes you'd like them to have access to or execute. Don't edit the sudoers file manually, as the changes you make won't work.

For instance (DON'T DO THIS!):

In the groups section set up:
UADMIN: nobody

And in the actions sections set up:
UADMIN: ALL (ALL)

to let nobody do anything root could do (BAD IDEA!).

You might set up the actions like:

UADMIN: /etc/myscripts/root_script

which would allow "nobody" to run that program even though it is root's.

DrDoc

11:38 pm on Nov 2, 2004 (gmt 0)

I wrote a

suidperl

script... (Related thread: http://www.webmasterworld.com/forum13/3858.htm [webmasterworld.com])

First I was going to simply write a C wrapper and compile it.

#include <unistd.h> 
 void main () { 
 execl("/usr/local/bin/perl","foo.pl","/local/web/cgi-bin/foo.pl",NULL); 
 }

...but I have no clue how to get the C program to use variables I pass as arguments, or how to set up a similar structure to that of my suidperl script in this thread [webmasterworld.com], or else I would.

sudo sounds interesting though... might take a closer look.