?
Solved

root rights with php

Posted on 2004-09-23
10
Medium Priority
?
277 Views
Last Modified: 2008-03-17
I am trying to write a config program for linux , that must have root rights so it can access the config files. LIke swat or other but in php. How can i do this?

Thanx in advance
0
Comment
Question by:Xumxum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 12133129
I have never worked lot with linux rights other than chmodding, but I could imagine you are not able to set root right using php, because php itself woul not be set to have root right itself if system configuration is secure.

If you have php installed as root, you possible could use the functions stated in http://www.php.net/exec to call system functions and scripts.

-r-
0
 
LVL 4

Expert Comment

by:aratani
ID: 12133662
It depends on where php is being accessed from. If php is being accessed as a module of apache, then the user running apache must be root for php to get root access. Also, if php is run as stand alone then it must be started by a root user. That would let it access config files etc:-

AJ
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 12137238
aratani is correct - php cannot give itself permissions. Apache must be running as root. You could also look into using suexec, but that's a bit of a hassle. I love PHP, but it's not the best language for this type of application. This is why programs like Webmin (www.webmin.com) have their own web server that runs as root. I suppose that you could build a PHP program that has its own web server built in but it would be pretty difficult, I imagine.

Is this for your own use or are you developing a program to distribute? Also, what programs are you looking to administrate with this tool?

- J
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 

Author Comment

by:Xumxum
ID: 12141002
I found a function in php chown that must be run as root, so there must be a way. But if I run php as root from apache, all of my programs will run as root? Can't I use some sort of authentification , such as PAM or something? Is'nt there a module for this?
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 12146479
Yes. there is a way for PHP to be run as root - but like aratani said, you have to run Apache as root. PHP simply inherits the web server's permissions. Keep in mind that PHP within Apache is only an extension of Apache. So if you run Apache as root, yes, all of Apache's programs and extensions will also have root privileges - a VERY dangerous thing, ESPECIALLY on servers with other users with access to PHP or other programming languages.

In order for a PHP program to run as root, you can do one of 3 things:

Option 1. Login to the shell as root and run the command line version of PHP.

Option 2. Set up Apache to be run as root.

Option 3. Have Apache use suexec to run the command line version of PHP as root.

However, there's no way for Apache to run a specific PHP program (via the Apache PHP module) as root. Allowing that to happen would be an unbelievably large security risk - if someone could do that, then a hacker could potentially run his own scripts as root and hack the server through Apache.

If this isn't for distribution (if it's just for yourself), you could always set up another instance of Apache running as root, but on a different port than 80, so you have an administrative Apache service and a public Apache service. Then you could just develop your own login system to secure your program and so on.

- J
0
 
LVL 4

Expert Comment

by:aratani
ID: 12146597
Yes, it is dangerous to run Apache as root. Never do that since you could probably access your whole filesystem through any file. However, if there are files that don't require root authentication to access Apache could do it if you let that file have permission as the user you are running Apache wiht.

AJ
0
 
LVL 1

Accepted Solution

by:
weznme earned 1000 total points
ID: 12158015
giving apache root access is not a vial solution - a single insecure script/config-statement compromises the server's security. take a look at the manpages of SUDO (you might have to install the package) and setuid; they offer way better control: for instance, letting only ONE script access the configfiles. of course you still have to do some sanity checks inside of your script to make it robust and secure.
0
 
LVL 1

Expert Comment

by:weznme
ID: 12158267
hence, another approach: dont access the configfiles directly through fwrite but store the data somewhere else (for instance, when adding a user to the system dont run useradd but store username, password, first and lastname somewhere in a file) and let a cronjob with root priviledges apply the changes to the system.

depending on the purpose, the configs might have to be readable (which isn't good either), at least they are not writeable. when working with many different configs you will have to write a wrapper to merge your changes for every single type of configfile... that's a lot of work. since linux uses loads of different styles/types of configfiles it's not avoidable :)
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 12161203
Doh - I meant SUDO not SUEXEC.

- J
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question