From owner-freebsd-stable@FreeBSD.ORG  Fri Sep 27 21:50:17 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 56D87399
 for <freebsd-stable@freebsd.org>; Fri, 27 Sep 2013 21:50:17 +0000 (UTC)
 (envelope-from cswiger@mac.com)
Received: from st11p05mm-asmtp002.mac.com (st11p05mm-asmtpout005.mac.com
 [17.172.108.250])
 by mx1.freebsd.org (Postfix) with ESMTP id 2F80D2CE9
 for <freebsd-stable@freebsd.org>; Fri, 27 Sep 2013 21:50:16 +0000 (UTC)
Received: from [17.198.198.221] (unknown [17.198.198.221])
 by st11p05mm-asmtp002.mac.com
 (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug
 22 2013)) with ESMTPSA id <0MTT003C30NEW6B0@st11p05mm-asmtp002.mac.com> for
 freebsd-stable@freebsd.org; Fri, 27 Sep 2013 21:50:04 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
 engine=2.50.10432:5.10.8794,1.0.431,0.0.0000
 definitions=2013-09-27_09:2013-09-27,2013-09-27,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0
 reason=mlx scancount=1 engine=7.0.1-1308280000 definitions=main-1309270136
Content-type: text/plain; charset=koi8-r
MIME-version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Subject: Re: Running a script via PHP
From: Charles Swiger <cswiger@mac.com>
In-reply-to: <CA+Az77MKoQZRdtiiHX3_88A9PJaxJC0vwHebie+wgdsWNNpn3g@mail.gmail.com>
Date: Fri, 27 Sep 2013 14:50:02 -0700
Content-transfer-encoding: quoted-printable
Message-id: <58E65D87-C41C-4777-9EAA-005CE3506B6A@mac.com>
References: <CA+Az77MKoQZRdtiiHX3_88A9PJaxJC0vwHebie+wgdsWNNpn3g@mail.gmail.com>
To: Michael BlackHeart <amdmiek@gmail.com>
X-Mailer: Apple Mail (2.1510)
Cc: freebsd-stable <freebsd-stable@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 21:50:17 -0000

Hi--

On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek@gmail.com> =
wrote:
> Hello there,
> It's quite off-topic, but I'm using freebsd-stable,so
>=20
> The priblem is - running a script that requires root privileges via =
PHP (or
> probably CGI - I do not care, just want it to be secure and working).

Unfortunately the combination of PHP, doing something which needs root, =
and
security are inherently contradictory.

The least risky approach would be to invoke the needed command via sudo, =
or=20
possibly a small setuid-root C wrapper program which launches only the =
needed script
with root permissions.  Use sudo unless your C wrapper is careful enough =
to use
exec() and not system(), sanitizes $PATH and other env variables, and =
guards against
games with $IFS, shell metachars, and such.

Regards,
--=20
-Chuck