Running a script via PHP
krad
kraduk at gmail.com
Tue Oct 8 13:11:45 UTC 2013
and just to be safe wrap it all up in a VIMAGE jail
On 1 October 2013 14:39, Ronald Klop <ronald-freebsd8 at klop.yi.org> wrote:
> On Fri, 27 Sep 2013 23:50:02 +0200, Charles Swiger <cswiger at mac.com>
> wrote:
>
> Hi--
>>
>> On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek at gmail.com>
>> wrote:
>>
>>> Hello there,
>>> It's quite off-topic, but I'm using freebsd-stable,so
>>>
>>> The priblem is - running a script that requires root privileges via PHP
>>> (or
>>> probably CGI - I do not care, just want it to be secure and working).
>>>
>>
>> Unfortunately the combination of PHP, doing something which needs root,
>> and
>> security are inherently contradictory.
>>
>> The least risky approach would be to invoke the needed command via sudo,
>> or
>> possibly a small setuid-root C wrapper program which launches only the
>> needed script
>> with root permissions. Use sudo unless your C wrapper is careful enough
>> to use
>> exec() and not system(), sanitizes $PATH and other env variables, and
>> guards against
>> games with $IFS, shell metachars, and such.
>>
>> Regards,
>>
>
> Use sudo, because your home grown C wrapper will make all the mistakes
> which are already solved in sudo. Or will be spotted in the future in sudo
> and will never be spotted in your program.
> Chances are high that future requirements of your C wrapper will turn it
> in a little sudo.
>
> Ronald.
>
> ______________________________**_________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/**mailman/listinfo/freebsd-**stable<http://lists.freebsd.org/mailman/listinfo/freebsd-stable>
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@**freebsd.org<freebsd-stable-unsubscribe at freebsd.org>
> "
>
More information about the freebsd-stable
mailing list