1

I would like to allow my PHP script (hosted with apache2) to execute commands with another user account.

I don't want another website hosted on the server to be able to connect to that another user account.

If i add a rule in /etc/sudoers then it will allow anyone of the website to use that user.

The solution i came was to use ssh, with a private key and public key. The PHP script launch a ssh connection with the server it is hosted on, on the desired user account.

Is there another way than my solution with ssh ?

Best regards

Pierre Emmanuel Lallemant
  • 61
  • 1
  • 7
  • Do you want to execute just that one script with a different account or are you looking for actual permission separation so PHP runs every script in `/home/user1` as `user1` and `/home/user2` as `user2` (paths just to make it understandable)? – Seth Sep 28 '16 at 13:05
  • @Seth: look at the comment i wrote on the answer of pacey, it should answer you. – Pierre Emmanuel Lallemant Sep 28 '16 at 18:04

2 Answers2

2

My gut feeling tells me that what you're doing is a terrible idea. But actually you haven't given enough background on the reason why you'd want that and what the use case is to tell this really.

But your thought about sudo is wrong whether this is a good idea or not.

A sudoers entry is defined as:

  USER HOST = [(RUNAS)] [NOPASSWD:] [!] CMD[,...]

Which means that the user USER is being allowed to run CMD as user RUNAS (if given). So you could construct your sudoers entry like this:

  www-data YOUR-HOSTNAME = (YOUR-USER) NOPASSWD: /path/to/command

This will allow the user www-data on the host specified (or ALL if you give that as YOUR-HOSTNAME) to execute the program /path/to/command as user YOUR-USER without a password.

You can also supply ALL as command, allowing every command YOUR-USER has access to.

Example

With your given exemplaric values a sudoers line would consist of the following (assuming mydeployer as the hostname and thedeployer as the username):

  www-data mydeployer = (thedeployer) NOPASSWD: ALL
pacey
  • 3,833
  • 1
  • 16
  • 31
  • I've writen a deployer: an API receiving calls from github/gitlab when I push with git, and when the CI tests have succeeded. I have a list of public/private keys which allows me to connect on remote servers, that are owned by a specific user, in order to avoid www-data to access them directly, else any other website hosted would have access to those private keys. What i want is to allow only the deployer to use the right user to execute the ssh call with the private key / public key. – Pierre Emmanuel Lallemant Sep 28 '16 at 18:03
  • if i understand, if I write `www-data https://mydeployer.myserver.com = (thedeployer) NOPASSWD ALL` it will only allow the deployer, or am i misunderstanding ? – Pierre Emmanuel Lallemant Sep 28 '16 at 18:09
  • another solution i have is to setup a password on my deployer-user, and disable ssh connection on it. Then i would do `echo $password | sudo -S -u myuser ...`. Don't know if it's still insane. – Pierre Emmanuel Lallemant Sep 28 '16 at 21:08
  • 1
    @PierreEmmanuelLallemant you should give a `hostname` (see output of the command `hostname`) instead of an URL which won't work. I've added an example to my answer with your values given. Your other idea is far worse - since you would have to store the password somewhere which is a massive security problem (also sudo won't accept piped passwords). – pacey Sep 29 '16 at 07:23
  • it will accept with -S. I will test that today, thanks ! – Pierre Emmanuel Lallemant Sep 29 '16 at 07:28
  • 1
    Oh, I didn't know. But as mentioned before this is generally a bad idea because it would force you to store the password somewhere in reach of the www-data user either in plaintext or in a form of encryption where www-data has access to the key to decrypt it which is a great security issue. – pacey Sep 29 '16 at 07:57
  • you are right, wasn't sure but now clearly a bad idea – Pierre Emmanuel Lallemant Sep 29 '16 at 08:31
0

You can do dat using sudo and a specific sudoers configuration:

Execute the command from PHP as

sudo -H -u user2 /your/command parameters

Add to sudoers (sudo visudo command)

www-data    ALL=(user2) NOPASSWD: /your/command

This allows apache to run a specific command as another user

F.Igor
  • 139
  • 4