Solved

root rights with php

Posted on 2004-09-23
10
268 Views
Last Modified: 2008-03-17
I am trying to write a config program for linux , that must have root rights so it can access the config files. LIke swat or other but in php. How can i do this?

Thanx in advance
0
Comment
Question by:Xumxum
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 49

Expert Comment

by:Roonaan
Comment Utility
I have never worked lot with linux rights other than chmodding, but I could imagine you are not able to set root right using php, because php itself woul not be set to have root right itself if system configuration is secure.

If you have php installed as root, you possible could use the functions stated in http://www.php.net/exec to call system functions and scripts.

-r-
0
 
LVL 4

Expert Comment

by:aratani
Comment Utility
It depends on where php is being accessed from. If php is being accessed as a module of apache, then the user running apache must be root for php to get root access. Also, if php is run as stand alone then it must be started by a root user. That would let it access config files etc:-

AJ
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
aratani is correct - php cannot give itself permissions. Apache must be running as root. You could also look into using suexec, but that's a bit of a hassle. I love PHP, but it's not the best language for this type of application. This is why programs like Webmin (www.webmin.com) have their own web server that runs as root. I suppose that you could build a PHP program that has its own web server built in but it would be pretty difficult, I imagine.

Is this for your own use or are you developing a program to distribute? Also, what programs are you looking to administrate with this tool?

- J
0
 

Author Comment

by:Xumxum
Comment Utility
I found a function in php chown that must be run as root, so there must be a way. But if I run php as root from apache, all of my programs will run as root? Can't I use some sort of authentification , such as PAM or something? Is'nt there a module for this?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
Yes. there is a way for PHP to be run as root - but like aratani said, you have to run Apache as root. PHP simply inherits the web server's permissions. Keep in mind that PHP within Apache is only an extension of Apache. So if you run Apache as root, yes, all of Apache's programs and extensions will also have root privileges - a VERY dangerous thing, ESPECIALLY on servers with other users with access to PHP or other programming languages.

In order for a PHP program to run as root, you can do one of 3 things:

Option 1. Login to the shell as root and run the command line version of PHP.

Option 2. Set up Apache to be run as root.

Option 3. Have Apache use suexec to run the command line version of PHP as root.

However, there's no way for Apache to run a specific PHP program (via the Apache PHP module) as root. Allowing that to happen would be an unbelievably large security risk - if someone could do that, then a hacker could potentially run his own scripts as root and hack the server through Apache.

If this isn't for distribution (if it's just for yourself), you could always set up another instance of Apache running as root, but on a different port than 80, so you have an administrative Apache service and a public Apache service. Then you could just develop your own login system to secure your program and so on.

- J
0
 
LVL 4

Expert Comment

by:aratani
Comment Utility
Yes, it is dangerous to run Apache as root. Never do that since you could probably access your whole filesystem through any file. However, if there are files that don't require root authentication to access Apache could do it if you let that file have permission as the user you are running Apache wiht.

AJ
0
 
LVL 1

Accepted Solution

by:
weznme earned 250 total points
Comment Utility
giving apache root access is not a vial solution - a single insecure script/config-statement compromises the server's security. take a look at the manpages of SUDO (you might have to install the package) and setuid; they offer way better control: for instance, letting only ONE script access the configfiles. of course you still have to do some sanity checks inside of your script to make it robust and secure.
0
 
LVL 1

Expert Comment

by:weznme
Comment Utility
hence, another approach: dont access the configfiles directly through fwrite but store the data somewhere else (for instance, when adding a user to the system dont run useradd but store username, password, first and lastname somewhere in a file) and let a cronjob with root priviledges apply the changes to the system.

depending on the purpose, the configs might have to be readable (which isn't good either), at least they are not writeable. when working with many different configs you will have to write a wrapper to merge your changes for every single type of configfile... that's a lot of work. since linux uses loads of different styles/types of configfiles it's not avoidable :)
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
Doh - I meant SUDO not SUEXEC.

- J
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now