1

Basically what I want to achieve is running commands in a java console via php. The way I want to do this might be too far fetched, so if there is an easier way, please tell me.

So what I had in mind is using exec() or shell_exec() in php to enter the commands via a tmux session. The problem is that apache runs on www-data, and that user can't create tmux sessions (for some reason). After searching on the internet for way too long I found this. A way to execute an application as root. Even when it's executed from another user. I tried this and this obviously works, but now I would like to run commands from php via arguments. But I'm not sure if this would be unsafe because of an injection. It does require user input after all. Or do I not have to worry about this as long as I use escapeshellarg() or escapeshellcmd() in php?

Thanks in advance for the help :)

Community
  • 1
  • 1
Jespertheend
  • 1,814
  • 19
  • 27

3 Answers3

1

In scripts executed by root (thru sudo) I put the following to check the parameters being passed. I suspect you would have to examine each lines of input in the same manner, and then examine the command on each line to determine if you want to execute it or not.

It would be much safer if your server was not running as root but as some other "regular" user. So I agree that's a bad idea but if I had to do it, then I would use this:

# Check to make sure the parameters do not have special characters
security_check () {
  # echo does not execute the contents of "$@" provided it is inside
  # double quotes.
  SC_PARMS1="`echo \"$@\" | tr \"\\\`<>|\" \"xxxx\"`"
  SC_PARMS2="`echo \"$@\" | tr \"\\\`<>|\" \"yyyy\"`"
  # Can't use "$@" in if test as it executes the contents, hence we
  # must compare 2 different converted strings.
  if [ "$SC_PARMS1" != "$SC_PARMS2" ]; then
    echo "`uname -n`: Security abort in: $0 $@"
    return 1
  fi
  unset SC_PARMS1 SC_PARMS2
  return 0
}

while read line ; do
    security_check "$line"
    if [ $? = 0 ]; then
        echo "We could execute $line"
        # Now we need to check the commands we allow
        if [ "$line" = "ls" ]; then
            # This test is very rudimentary, you might need to do a set -- $line and
            # examine more than just the command ($1 at that point)
            eval $line
        fi
    fi
done

Running any kind of server as root is not a good idea. Try to see if root can be reserved for real superuser requirements, and run your applications with service accounts (i.e. non root accounts).

cpu
  • 567
  • 4
  • 6
1

Yes.

(this line in parenthesis is just to meet the minimum of 30 characters requirement.)

Vinicius Kamakura
  • 7,665
  • 1
  • 29
  • 43
0

It is safe

Provided it is properly escaped. This makes it sound much easier than it is to properly escape input and make sure that its 100% safe.

Though are you sure all of that access is needed ? You should limit the access an attacker can do if they mamange to get in somehow. Having root access is much worse than just a user account

exussum
  • 18,275
  • 8
  • 32
  • 65