Re: PHP Problem

Subject: Re: PHP Problem
From: Joshua J.Kugler (isd@as.uaf.edu)
Date: Thu Jan 23 2003 - 11:47:10 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Greg Madden: "wget"
• Previous message: Justin Dieters: "Re: cdrecord"
• In reply to: Brian ThunderEagle: "PHP Problem"
• Next in thread: Clifton Posey: "Re: PHP Problem"
• Reply: Joshua J.Kugler: "Re: PHP Problem"
• Reply: Joshua J.Kugler: "Re: PHP Problem"

I hope I can help, since we've done the same thing.

Our solution is slightly different, since we don't use PHP, but Perl, and run
our scripts as CGI's, not as a page (as PHP does).

We use Apache with suExec enabled. Thus, the owner of the file (in this case
'asuaf') is the user as which the CGI runs. In a directory (not in the
htdocs tree) there is a directory with some suid versions of useradd,
userdel, even chsh (for enabling/disabling logins). These programs are owned
by user root and group asuaf, and chmod 770, so only user asuaf can run it.
Thus, a user add CGI is run (as asuaf), and after checking all the parameters
for safety, then calls the suid useradd with those parameters, and adds the
user.

I would not recommend this approach if you are not using suExec, because it
would mean your CGI's would be executed as the web server user, and any user
that had CGI's on the server could run the utilities. This is secure in our
case because only user asuaf can run the suid utilities.

You could write C suid wrappers that you call from PHP, but you have the same
security problems as mentioned above.

Hope that helps, and be sure to drop a line if you have any questions.

j----- k-----

On Wednesday 22 January 2003 20:52, you wrote:
> I am driving myself crazy trying to figure this out, but I have faith in
> AKLUG that someone has seen this before. I have built a bundle of Bash
> scripts that can be used to set up users on my system. I have created forms
> on my web site that eventually call these Bash scripts according to values
> recieved from the forms. The problem is of course Apache does not run as
> root, and the scripts run commands that require root. I have tried using a
> wrapper, I have tried adding in "<< EOF" for every command called from the
> main script, but I cannot get it to run successfully. exec(), passthru(),
> and system() all have yielded no progress. Here is the way it works:
>
> $install = "/var/www/html/scripts/add.sh user pass 1 1 1 1 1 1 0"; (for
> example) exec(''.$install.'');
>
> "/var/www/html/scripts/add.sh user pass 1 1 1 1 1 1 0";
> /var/www/html/scripts/add.sh = primary script that runs 8 other scripts
> user = username
> pass = password
> 1 1 1 1 1 1 0 = What to install (sql web email dn dns chr lan)
>
> If someone knows how to make a wrapper that you know works, or some way to
> get around this problem IN ANY WAY please help. I want any possible
> solution at this point. I have been searching how to do this for nearly 5
> non-stop hours.

-- 
Joshua Kugler, Information Services Director
Associated Students of the University of Alaska Fairbanks
isd@asuaf.org, 907-474-7601
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Greg Madden: "wget"
• Previous message: Justin Dieters: "Re: cdrecord"
• In reply to: Brian ThunderEagle: "PHP Problem"
• Next in thread: Clifton Posey: "Re: PHP Problem"
• Reply: Joshua J.Kugler: "Re: PHP Problem"
• Reply: Joshua J.Kugler: "Re: PHP Problem"

This archive was generated by hypermail 2a23 : Thu Jan 23 2003 - 11:47:13 AKST