0

Summary

I have apache running on a Linux machine where a certain program is installed. I want to call the program from a php page and get the output.

Special constraint

The program needs certain environment variables to run, e.g. LD_LIBRARY_PATH with path to libraries plus extra variables. The environment is defined for a user X on the machine that is not the apache user.

Proposed options

So far I have thought of the following options (not meaning that they are all smart or safe):

  1. Allow user apache to run the program as user X (in a way that allows having the full environment). Recipe ?
  2. Modify the environment of user apache. I don't see how because apache is a nologin user.
  3. SSH to another machine as a user that has the proper environment. It means to have a no password (public/private keys) connection between the web server and this machine. Is it dangerous ?

Questions

  • Did I overlook a simpler or better option ?
  • What option would you use and why ?
Barth
  • 15,135
  • 20
  • 70
  • 105
  • 2. sounds like the best option, I don't know how to do that though - but surely it is possible to set environment variables for the user on startup? Would that be enough? – Pekka Jul 02 '12 at 15:27
  • Yes, it would be enough although the other user is already set up in a standard way therefore I would prefer to reuse it. If I have to do that I could also pass the environment variables when calling the program in PHP. – Barth Jul 02 '12 at 15:35

2 Answers2

0

if you know the (values of) environment variables you need to set, you could simply prepend them to your exec

exec('LD_LIBRARY_PATH="/you/paths"; OTHER_VAR="baz"; /your/bin');

that will execute /your/bin with the given ENV variables set, but as the apache user, not user X. If the program needs to run as a specific user, SSH doesn't seem like such a bad idea.

rodneyrehm
  • 13,442
  • 1
  • 40
  • 56
0

Do you have full control over this platform?

You can look into suexec, or mpm-iTK

You could configure the above within a virtual host, and set the run as user or group to that which has access to your binary.

In your current setup, you could create a new group, assign the apache user/group to said group, apply group to the binary you want to execute with read/write or read/execute permissions, and let the good times role.

Mike Mackintosh
  • 13,917
  • 6
  • 60
  • 87