Date: Tue, 8 Oct 2013 14:11:44 +0100 From: krad <kraduk@gmail.com> To: Ronald Klop <ronald-freebsd8@klop.yi.org> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: Running a script via PHP Message-ID: <CALfReyefs1qrqen5fuiJ04vdRfozQu6rh7Z=Bxs6gtB1=Lz6LA@mail.gmail.com> In-Reply-To: <op.w392wrwc8527sy@212-182-167-131.ip.telfort.nl> References: <CA%2BAz77MKoQZRdtiiHX3_88A9PJaxJC0vwHebie%2BwgdsWNNpn3g@mail.gmail.com> <58E65D87-C41C-4777-9EAA-005CE3506B6A@mac.com> <op.w392wrwc8527sy@212-182-167-131.ip.telfort.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
and just to be safe wrap it all up in a VIMAGE jail On 1 October 2013 14:39, Ronald Klop <ronald-freebsd8@klop.yi.org> wrote: > On Fri, 27 Sep 2013 23:50:02 +0200, Charles Swiger <cswiger@mac.com> > wrote: > > Hi-- >> >> On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek@gmail.com> >> wrote: >> >>> Hello there, >>> It's quite off-topic, but I'm using freebsd-stable,so >>> >>> The priblem is - running a script that requires root privileges via PHP >>> (or >>> probably CGI - I do not care, just want it to be secure and working). >>> >> >> Unfortunately the combination of PHP, doing something which needs root, >> and >> security are inherently contradictory. >> >> The least risky approach would be to invoke the needed command via sudo, >> or >> possibly a small setuid-root C wrapper program which launches only the >> needed script >> with root permissions. Use sudo unless your C wrapper is careful enough >> to use >> exec() and not system(), sanitizes $PATH and other env variables, and >> guards against >> games with $IFS, shell metachars, and such. >> >> Regards, >> > > Use sudo, because your home grown C wrapper will make all the mistakes > which are already solved in sudo. Or will be spotted in the future in sudo > and will never be spotted in your program. > Chances are high that future requirements of your C wrapper will turn it > in a little sudo. > > Ronald. > > ______________________________**_________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-**stable<http://lists.freebsd.org/mailman/listinfo/freebsd-stable>; > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@**freebsd.org<freebsd-stable-unsubscribe@freebsd.org> > " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyefs1qrqen5fuiJ04vdRfozQu6rh7Z=Bxs6gtB1=Lz6LA>