0

I know some program like as kloxo run their php program as root with a lighttpd that is seperate from main apache web server. but when i google it to have a php script for firewall management and run it as root, some people say you should not run web server with root privilege.

i want to know, how kloxo use that without any problem? and what is the best solution to manage iptables with a php script ( how to run commands in php exec() with root privilege) ? also some php function like as fopen to edit files.

Amir Molaa
  • 1,103
  • 1
  • 9
  • 9
  • Ideally, nothing should run as `root`. If it does something that it's not supposed to, it has access to everything and can cause much more damage than if it was locked down. – G-Nugget Feb 04 '13 at 20:19
  • 2
    web servers don't run as root. they START as root so they can bind the port 80, then drop root privliges as fast as they possibly can, and run as some other user. – Marc B Feb 04 '13 at 20:21
  • http://stackoverflow.com/questions/1598231/how-to-run-php-exec-as-root – Leon Kramer Feb 04 '13 at 20:23
  • @G-Nugget but i want some program such as `adduser` or edit some privileged files that needs root privilege. what is best solution for this position or how kloxo or plesk do this? – Amir Molaa Feb 04 '13 at 20:24
  • @MarcB but we can compile web server like as apache to do this. but i want to know what is the best solution? – Amir Molaa Feb 04 '13 at 20:25
  • @LeonKramer but how about for editing file, for example i want edit some file in php with `fopen` and other functions. how should do this? – Amir Molaa Feb 04 '13 at 20:28

1 Answers1

1

If you want to allow a non-root user to run something like adduser as root, and you have access to edit the sudoers file (using visudo, for example), you could give the user access to use sudo for specific commands. In your sudoers file, you'd have an entry like this:

www-user ALL=NOPASSWD: /usr/sbin/adduser

Which would allow the user www-user root access to /usr/sbin/adduser without having to enter a password. You could then just invoke this using your preferred method inside your script:

$output = `/usr/bin/sudo /usr/sbin/adduser <other_arguments>`;

I wouldn't really recommend this, just because if someone compromises your webserver user account, they could create new users on your system, but if you absolutely need to have it, that's how you would do it.

WWW
  • 9,734
  • 1
  • 29
  • 33
  • but how about using `fopen` function to edit some file that need root privilege? also i run seprate lighttpd on servers for management software that means other users can not access to that document root or webserver user account. – Amir Molaa Feb 04 '13 at 20:43
  • You will not be able to give any PHP functions root access without running the script/interpreter as root. Do not do that. – WWW Feb 04 '13 at 21:42
  • so, what do you think about kloxo or plesk? how they do that? – Amir Molaa Feb 04 '13 at 21:57
  • I'm not familiar with either product. I've never even heard of kloxo, and I have never used plesk. – WWW Feb 05 '13 at 14:59