Running a script via PHP
Ronald Klop
ronald-freebsd8 at klop.yi.org
Tue Oct 1 13:39:55 UTC 2013
On Fri, 27 Sep 2013 23:50:02 +0200, Charles Swiger <cswiger at mac.com> wrote:
> Hi--
>
> On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek at gmail.com>
> wrote:
>> Hello there,
>> It's quite off-topic, but I'm using freebsd-stable,so
>>
>> The priblem is - running a script that requires root privileges via PHP
>> (or
>> probably CGI - I do not care, just want it to be secure and working).
>
> Unfortunately the combination of PHP, doing something which needs root,
> and
> security are inherently contradictory.
>
> The least risky approach would be to invoke the needed command via sudo,
> or
> possibly a small setuid-root C wrapper program which launches only the
> needed script
> with root permissions. Use sudo unless your C wrapper is careful enough
> to use
> exec() and not system(), sanitizes $PATH and other env variables, and
> guards against
> games with $IFS, shell metachars, and such.
>
> Regards,
Use sudo, because your home grown C wrapper will make all the mistakes
which are already solved in sudo. Or will be spotted in the future in sudo
and will never be spotted in your program.
Chances are high that future requirements of your C wrapper will turn it
in a little sudo.
Ronald.
More information about the freebsd-stable
mailing list