0

Does apache or mod_php cause a SUID flag to be ignored when using the shell_exec command from a web accessed PHP script?

I'm trying to allow a web accessible PHP script to rename some files which the apache user does not have write access to. I don't want to give it access to write these, as I only want one controlled script to be able to do this. I'm trying to avoid SUDO and the config needed or the headache/insecurity of using a que called from a privileged users cron, and it seemed like I should be able to use SUID to accomplish this.

If you need more info, I've got a similar question open over here, but I think its too detailed and people are not seeing what I'm asking.

https://stackoverflow.com/questions/6432931/suid-issues-with-php-apache

Community
  • 1
profitphp
  • 1
  • Hmmm.. It appears that SUID is only going to have an effect if its a binary, further calls to the shell will be executed as the user who called the original. Guess it's SUDO then. Anyone care to chime and and agree? – profitphp Jun 21 '11 at 23:41
  • 1
    I believe you are correct... I *think* for SUID to be meaningful in a bash script, for instance, /bin/bash would have to be SUID. sudo is your better bet (in fact, sudo is almost _always_ better than SUID--even for binaries) – Flimzy Jun 21 '11 at 23:48
  • And suid will have absolutely no effect on a PHP script parsed by the webserver - only one invoked from the shell. – symcbean Jun 22 '11 at 11:59

2 Answers2

0

Weird option, but maybe you can have the apache process indicate somewhere it does have access to, what it wants - then you have cron job or something call a script that interprets what the apache process indicated and performs the desired action.

That sounds hacky as all hell to me. But for whatever you're doing, perhaps that's the route to go. SUID sounds like a very slippery slope in terms of security. I think what I'm suggesting is a slight improvement.

James T Snell
  • 463
  • 2
  • 11
  • Ya, I already mentioned the idea of a queue called from a privileged users cron. I was trying to avoid that as it is hacky, and requires some place to store the 'commands' and isn't real time, etc etc. Thanks for the suggestion though. – profitphp Jun 22 '11 at 00:42
0

As far as I know, mod_php will always run your script as the uid of the apache user. If you'd like to serve php scripts under a different uid using apache, you could check out using fastcgi. Generic instructions here but you can (and should) search for installation instructions specific to your OS packaging system (apt / yum / etc).

David Q Hogan
  • 101