Running a script via PHP

[Ronald Klop]

On Fri, 27 Sep 2013 11:18:40 +0200, Michael BlackHeart <amdmiek at gmail.com>  
wrote:

> Hello there,
> It's quite off-topic, but I'm using freebsd-stable,so
>
> The priblem is - running a script that requires root privileges via PHP  
> (or
> probably CGI - I do not care, just want it to be secure and working).
>
> It's all about minidlna service (I use upnp to so mediatomb and other are
> no options). On FreeBSD it should be resync-ed manually, so I've got a
> simple script placed in /etc/periodic/daily:
>
> more 957.dlna_update
> #!/bin/sh
> #Script to daily update minidlna DB
>
> a="$*"
>
> if (/usr/local/etc/rc.d/minidlna stop 1>/dev/null);then
> sleep 10
> if /usr/local/etc/rc.d/minidlna rescan;then
> /usr/bin/logger -t minidlna "DB updated."
> exit 0
> else
> /usr/bin/logger -t minidlna "Error. Failed to update DB."
> exit 1
> fi
> else
> /usr/bin/logger -t minidlna "Error. Failed to update DB."
> exit 1
> fi
>
> And it's working fine to me. But it uses service infrastructure. So when
> I'm trying to run via PHP it fails. For example running under  
> unprivileged
> user:
>
> id
> uid=1001(amd_miek) gid=0(wheel) groups=0(wheel),5(operator)
>
> -rwsr-sr-x 1 root wheel 394 27 сен 10:58 957.dlna_update*
>
> sh -x 957.dlna_update
> + a=''
> + /usr/local/etc/rc.d/minidlna stop
> kill: 10786: Operation not permitted
> + /usr/bin/logger -t minidlna 'Error. Failed to update DB.'
> + exit 1
>
> What is the best way to run it via WEB?

You can't setuid a shell script. The executable actually is '/bin/sh'  
which just reads the shell script. So you should setuid /bin/sh which is a  
security problem.
You can use sudo to do this. (/usr/ports/security/sudo)

Ronald.