1

I currently running a websever with Nginx+PHP-Fpm and each sites on its own username/GID. Then I have a bash script that I use to create new user along with other necessary stuffs. I know I can call a script using shell_exec/suexec but I am wondering what is the safest way to call a bash script without jeopardizing the security of the server?

At first I was thinking of setting a cron job to run the script but the account need to be up instantly. So cron not gonna work.

Also I've done some searching and some suggest to use php daemon to monitor a queue then run the the script when there's a job. Not really sure about this (daemon) since I never have any experience on it.

How I can run my script safely?

Update:
Just to update that I've decided to go with Beanstalkd + pheanstalk combination.

Php script will send the job to queue and it then will be run by a daemonized php script run by a seperate user that has privileges needed.

Chris S
  • 77,945
  • 11
  • 124
  • 216
Sam W.
  • 41
  • 1
  • 6

1 Answers1

2

On the specific topic of using exec in php and how to be safe, The only thing you need to take care of is to escape arguments.

i.e. don't do this:

exec('myscript ' . $_POST['arg']);

if it's not obvious - just think about what happens if $_POST['arg'] contains ; rm xyz - or worse, if you are sending the output of that command to the screen and it contains ; more /etc/passwd; more db-config.php etc.

therefore - escape your arguments:

$foo = escapeshellarg($whatever);
exec("myscript $foo");

However, if your bash script requires more privileges than you would ordinarily permit your nginx user to have - You are better of heeding the advice you have found which disassociates the user running your bash script from the nginx user.

Similar to your php daemon suggestion in the question, the php app sends a request for the bash script to run, synchronously or asynchronously, using a job queue system. The job queue just sends the request to your bash script, optionally returning the result. In this way you can start the "create new user" bash script as a user with appropriate permissions, without giving your nginx user any extra privileges and risking these permissions being exploited somewhere else if your php application code. Gearman in particular, is very easy to setup.

AD7six
  • 2,920
  • 2
  • 21
  • 23