0

I would like to execute a php script in a browser that will in turn execute a single linux command and return its output. When I first decided to test this out I created this:

<?php
$command = "ls";
exec($command, $output);
print_r($output);
?>

That worked just fine. But when I changed $command to the command I really wanted to run:

$command = "/etc/init.d/mycontrollerd status /etc/mycontrollerconfig";

it gave me this output:

Array ( [0] => You need root privileges to run this script )

I have been advised to use suexec. However after examining the man page I can't even tell where to begin. Of course I don't want to create a security risk. So can someone give me the recipe to make my command run and return its output?

BTW, this is on a basic LAMP box running Ubuntu.

EDIT: @womlbe below recommends sudo over suexec. With security still being paramount, how could I do this?

Kenneth Vogt
  • 113
  • 2
  • 8
  • 3
    Whoever advised you to use `suexec` should have their breathing privs revoked. Use `sudo`, it's what it's designed for. – womble Aug 08 '11 at 04:50

1 Answers1

1

As far as I know, suexec will not grant root privileges (or the privileges of the apache user).

To use suexec, in its simplest form, I believe that you would:

  1. If you are running FastCGI, you will define the path to suexec (I don't believe suexec works for mod_php) (in httpd.conf):

    e.g. FastCgiSuexec /usr/sbin/suexec (which may require changing the permissions on suexec). There is a brief, but somewhat dated, overview here.

  2. Add a line to your VirtualHost to specify the user you want to run as:

    SuexecUserGroup "#UID" "#GID" (replace with actual numbers - keep the number sign)

Other variants would allow you to use suPHP or suexec, setting them up as a handler for all scripts. You need to have the components compiled in and need to be using CGI/FastCGI for your PHP scripts.

Since you currently require root permissions to run that script, you cannot use only suexec. Some of your options are:

  1. Change the permissions of the script - may be difficult/insecure depending on what it does (i.e. a simple chmod won't suffice if the tasks it performs require certain privileges)
  2. use sudo, with the command,from your php script (add the user to sudoers, etc)
  3. use an external script with setuid

The security of all of the above is questionable at best.

cyberx86
  • 20,805
  • 1
  • 62
  • 81