Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Sep 2013 14:50:02 -0700
From:      Charles Swiger <cswiger@mac.com>
To:        Michael BlackHeart <amdmiek@gmail.com>
Cc:        freebsd-stable <freebsd-stable@freebsd.org>
Subject:   Re: Running a script via PHP
Message-ID:  <58E65D87-C41C-4777-9EAA-005CE3506B6A@mac.com>
In-Reply-To: <CA%2BAz77MKoQZRdtiiHX3_88A9PJaxJC0vwHebie%2BwgdsWNNpn3g@mail.gmail.com>
References:  <CA%2BAz77MKoQZRdtiiHX3_88A9PJaxJC0vwHebie%2BwgdsWNNpn3g@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi--

On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek@gmail.com> =
wrote:
> Hello there,
> It's quite off-topic, but I'm using freebsd-stable,so
>=20
> The priblem is - running a script that requires root privileges via =
PHP (or
> probably CGI - I do not care, just want it to be secure and working).

Unfortunately the combination of PHP, doing something which needs root, =
and
security are inherently contradictory.

The least risky approach would be to invoke the needed command via sudo, =
or=20
possibly a small setuid-root C wrapper program which launches only the =
needed script
with root permissions.  Use sudo unless your C wrapper is careful enough =
to use
exec() and not system(), sanitizes $PATH and other env variables, and =
guards against
games with $IFS, shell metachars, and such.

Regards,
--=20
-Chuck




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58E65D87-C41C-4777-9EAA-005CE3506B6A>