suPHP execute PHP script as root_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-02-24 21:30 出处：网络

I have created several websites. Now I need开发者_运维问答 to perform root tasks. I created a webplatform and installed. root owns all scripts in /var/private-www/ and they are chmodded (0777). In /va

I have created several websites. Now I need开发者_运维问答 to perform root tasks. I created a webplatform and installed. root owns all scripts in /var/private-www/ and they are chmodded (0777). In /var/private-www/test.php stands: <?php echo exec('whoami'); ?>. My suPHP config is this:

 [global]
;Path to logfile
logfile=/var/log/suphp/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=root

;Path all scripts have to be in
docroot=/var/private-www

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=0

; Minimum GID
min_gid=0


[handlers]
;Handler for php-scripts
application/x-httpd-suphp="php:/usr/bin/php-cgi"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

When I execute test.php in my webbrowser, it says: www-data :(. Not root... Even when I execute it in the command line. Besides, I did a2enmod suphp and apachectl restart, so I was thinking it would work. How can I fix this?

Take a look at these known web app attacks: OWASP. Running as root and 0777 permissions are both things you should try to avoid.

Short answer: Don't do this.

Any tasks that needs to be run a root, should be done via a cron job.

Why are you trying to it this way, anyway?

I'm gonna regret saying this, and I don't want to be an enabler, but:

You're probably going to need to recompile. The minimum UID and GID aren't (just) configurable items, there are minimum checks made at compile time as well. There's also no guarantee that there aren't hard-coded checks against running as root.

You really should consider an alternative method of performing your desired tasks that does not involve exposing a web application running as root. A regularly running cron job that checks for uncompleted tasks or a work queue service can easily accomplish these goals. The web-exposed front-end then does not need to run as root.

This is not the answer you are looking for, but you should consider this a bit:

Although there are cases where you would like to do so, running all your php scripts as root in general is bad practice and you may face a number of obstacles.

One easy way to avoid this is to use sudo. Add your commands to sudoers for www-data and let your scripts execute an external command with sudo.

Even external php scripts can be ran as root via sudo. This way you will achieve privilege separation.

Otherwise you will have to run apache+modphp as root or hack the code of suphp.