how to run cmd as root from apache (centOS)?

Question

I'm trying to run the "useradd" command in CENTOS but I can't because I need root permissions.

In my php_info(); I have '--disable-posix'. I have tried to re-install my PHP, and tried to enable the posix with yum and more options, but no luck.

Can someone help me to make the posix enable or some other solutions? I notice that posix_getuid(); is working, but posix_setuid(); is not.

Any solution?

All I need to insert useradd into passwd(root) command by "user click". What is the best and most secure way to do this?

Thanks a lot!

Koren Or

You really really shouldn't do this, if Apache is allowed root access then even the smallest error/bug would give an attacker complete control over your server. I'm not sure, but if you absolutely wants this, I would probably recommend writing to a file, then have another PHP daemon running with root access read from that file and have it update passwd. But really, you shouldn't. — Andreas, Sep 04 '11 at 15:41
but still, if i give file permissions. then attacker can also write to file something that give him permission for all the directories in my server. and not jail or chroot. — user692601, Sep 05 '11 at 07:04
Exactly, but given that you would update passwd/etc with PHP separately from the Apache request, it would now be up to you to also implement reasonable security measures... like not allowing root acccess, logging changes, approving changes?, etc. But indeed, it's simply less worse, but it's still very bad. — Andreas, Sep 05 '11 at 07:51

score 0 · Answer 1 · answered Sep 04 '11 at 15:47

0

You want to read the suEXEC documentation: http://httpd.apache.org/docs/2.2/suexec.html Then rethink how your application work and figure out a better/safer way.

answered Sep 04 '11 at 15:47

Krunch

9
1

Merely suEXEC alone won't allow him to run stuff as *root*. suEXEC is good for running web apps under their own non-root user, seperated from each other. – Jürgen Strobel Sep 04 '11 at 21:42

score 0 · Answer 2 · answered Sep 04 '11 at 15:57

0

You could use sudo for doing this. run visudo and put something like

apache ALL = (ALL) NOPASSWD: /usr/sbin/useradd

Actually if you have SELINUX enforced it will not work, and instead of using useradd I would recommand writing a wrapper script which sets properly the environment and does sanity checks before running useradd

answered Sep 04 '11 at 15:57

OlivierS

75
2

2

This is terrible advice: you should not be granting root access to the web server – Foo Bah Sep 04 '11 at 16:14
Seriously you don't wanna do this. – 0xAli Sep 04 '11 at 16:21
3

Yes, but the question is: "I'm trying to run the "useradd" command in CENTOS". My answer provides a solution. The question is not "how do I properly update the root password via a web interface", nor "how do I learn how to be a decent webmaster. The question is very precise and my answer is also very precise. – OlivierS Sep 04 '11 at 17:17
Tell him the "right" answer not the correct one, and your answer is very precise yes.. – 0xAli Sep 04 '11 at 18:06
1

Given the question sets up a bad base from a security point of view, this answer is good. A warning and advice to read the full sudo man page before doing anything would complement it nicely. – Jürgen Strobel Sep 04 '11 at 21:55
I do want the best secured answer. and not some working answer that not secured. thanks – user692601 Sep 05 '11 at 07:13

score 0 · Answer 3 · answered Sep 04 '11 at 15:57

0

I'd suggest to write a shell script which will call useradd via sudo.

You can add specific commands for specific users to /etc/sudoers (edited by visudo command)

Should be something like this:

Cmnd_Alias USERADD = /bin/sbin/useradd *

apache ALL=(USERADD) NOPASSWD:USERADD

calling useradd:

sudo /usr/sbin/useradd USERNAME

Do not forget to validate your input in both php script and shell script.

answered Sep 04 '11 at 15:57

Dmitry Alexeyev

207
1
4

Note '*' after useradd command, it will allow you to pass parameters. – Dmitry Alexeyev Sep 04 '11 at 15:59
Sudo needs to be run interactively (it expects a password) – Foo Bah Sep 04 '11 at 16:15
Note 'NOPASSWD:'. This instructs sudo not to request a password for a specific groups of commands. – Dmitry Alexeyev Sep 04 '11 at 16:22
Is that supported in the BSD variants of sudo? The OSx version doesnt seem to support it – Foo Bah Sep 04 '11 at 16:24
Yes, it's supported. Added `dmi ALL=(ALL) NOPASSWD:ALL` and it works fine. OS X 10.7, sudo 1.7.4p6. AFAIK, it's same version that's used in CentOS. – Dmitry Alexeyev Sep 04 '11 at 16:31

score 0 · Answer 4 · answered Sep 04 '11 at 21:50

Sudo could be a quick hack to implement this quickly, but it is hard to secure and there are pitfalls even for the experienced unix guru.

A different way is to write your own server daemon, running as root, listening to a local unix domain socket, or a named pipe, or simply to look for files in a certain protected directory. Then message this daemon from your php script with the user name to add. Implement only the bare minimum application functionality in this daemon, and everything else in php. But do strong input checks in your daemon, sanitize your environment, etc, to be really sure it is the php app calling, not someone else.

score -3 · Answer 5 · answered Sep 04 '11 at 16:14

-3

Sudo needs to be run interactively (it expects a password)

You shouldn't be granting root access in any way to the web server.

Suexec is an alternative, but you could also just have the web script write to a file and have a cron job that parses the file and processes the commands

answered Sep 04 '11 at 16:14

Foo Bah

25,660
5
55
79

You can save the password in plaintext and pass it in via stdin but that requires you to grant sudo access for the web server user. – Foo Bah Sep 04 '11 at 16:22
no, you can configure sudo to not require a password from specific users. This is still a bad idea though. – IanNorton Sep 04 '11 at 21:56

how to run cmd as root from apache (centOS)?

5 Answers5

Linked