Solved

root rights with php

Posted on 2004-09-23
10
275 Views
Last Modified: 2008-03-17
I am trying to write a config program for linux , that must have root rights so it can access the config files. LIke swat or other but in php. How can i do this?

Thanx in advance
0
Comment
Question by:Xumxum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 12133129
I have never worked lot with linux rights other than chmodding, but I could imagine you are not able to set root right using php, because php itself woul not be set to have root right itself if system configuration is secure.

If you have php installed as root, you possible could use the functions stated in http://www.php.net/exec to call system functions and scripts.

-r-
0
 
LVL 4

Expert Comment

by:aratani
ID: 12133662
It depends on where php is being accessed from. If php is being accessed as a module of apache, then the user running apache must be root for php to get root access. Also, if php is run as stand alone then it must be started by a root user. That would let it access config files etc:-

AJ
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 12137238
aratani is correct - php cannot give itself permissions. Apache must be running as root. You could also look into using suexec, but that's a bit of a hassle. I love PHP, but it's not the best language for this type of application. This is why programs like Webmin (www.webmin.com) have their own web server that runs as root. I suppose that you could build a PHP program that has its own web server built in but it would be pretty difficult, I imagine.

Is this for your own use or are you developing a program to distribute? Also, what programs are you looking to administrate with this tool?

- J
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:Xumxum
ID: 12141002
I found a function in php chown that must be run as root, so there must be a way. But if I run php as root from apache, all of my programs will run as root? Can't I use some sort of authentification , such as PAM or something? Is'nt there a module for this?
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 12146479
Yes. there is a way for PHP to be run as root - but like aratani said, you have to run Apache as root. PHP simply inherits the web server's permissions. Keep in mind that PHP within Apache is only an extension of Apache. So if you run Apache as root, yes, all of Apache's programs and extensions will also have root privileges - a VERY dangerous thing, ESPECIALLY on servers with other users with access to PHP or other programming languages.

In order for a PHP program to run as root, you can do one of 3 things:

Option 1. Login to the shell as root and run the command line version of PHP.

Option 2. Set up Apache to be run as root.

Option 3. Have Apache use suexec to run the command line version of PHP as root.

However, there's no way for Apache to run a specific PHP program (via the Apache PHP module) as root. Allowing that to happen would be an unbelievably large security risk - if someone could do that, then a hacker could potentially run his own scripts as root and hack the server through Apache.

If this isn't for distribution (if it's just for yourself), you could always set up another instance of Apache running as root, but on a different port than 80, so you have an administrative Apache service and a public Apache service. Then you could just develop your own login system to secure your program and so on.

- J
0
 
LVL 4

Expert Comment

by:aratani
ID: 12146597
Yes, it is dangerous to run Apache as root. Never do that since you could probably access your whole filesystem through any file. However, if there are files that don't require root authentication to access Apache could do it if you let that file have permission as the user you are running Apache wiht.

AJ
0
 
LVL 1

Accepted Solution

by:
weznme earned 250 total points
ID: 12158015
giving apache root access is not a vial solution - a single insecure script/config-statement compromises the server's security. take a look at the manpages of SUDO (you might have to install the package) and setuid; they offer way better control: for instance, letting only ONE script access the configfiles. of course you still have to do some sanity checks inside of your script to make it robust and secure.
0
 
LVL 1

Expert Comment

by:weznme
ID: 12158267
hence, another approach: dont access the configfiles directly through fwrite but store the data somewhere else (for instance, when adding a user to the system dont run useradd but store username, password, first and lastname somewhere in a file) and let a cronjob with root priviledges apply the changes to the system.

depending on the purpose, the configs might have to be readable (which isn't good either), at least they are not writeable. when working with many different configs you will have to write a wrapper to merge your changes for every single type of configfile... that's a lot of work. since linux uses loads of different styles/types of configfiles it's not avoidable :)
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 12161203
Doh - I meant SUDO not SUEXEC.

- J
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question