access setuid program from web page

Question

I have a setuid page used by students to check in their programming assignments and to view their grades. The typical usage is:

<pre>
   ~csXXX/bin/checkin key fileName

   ~csXXX/bin/grade key
</pre>

The users must have an account on the department machines. Additionally, anyone may run checkin/grade but it will only work if the are also registered for the particular class.

Students have requested that they be able to access their grades from a browser on their tablets/smart phones. I was considering something like a php page with the following

<pre>
  &lt;?php
  &lt;pre&gt;
    shell_exec("echo $password" | su - $user -c "~csXXX/bin/grade key")
  &lt;/pre&gt;
  ?&gt;
</pre>

However, this fails with the error message

<pre>
Password: stty: standard input: Inappropriate ioctl for device
</pre>

I believe I want to use su instead of sudo so that the execution is actually as the student. The web page will require the student to login in, so it has access to their id/password. Does anyone have a suggestion of how to do this?

The checkin program is a little more work if it is executed from a web page as it must copy the submitted file to a department machine and then run checkin as the student. We are considering this because some students seem reluctant to ftp files to a department machine and use ssh for the checkin.

I would prefer to wrap the existing programs, as they are well debugged, and allow the students to access the functionality either from a shell or the web.

Thank you.

Answer 1

I would give sudo another look, since it gives you more control. Also, the -S flag on sudo tells it to read a password from stdin rather than from a terminal, so it would work in the context you give above.

I would be very careful with the scheme you're putting together there, though. Especially be careful about quoting shell metacharacters in the password. It seems like there ought to be a better, safer way, but I'm not terribly knowledgeable about PHP.