0

This is a Ubuntu system and I need the PHP to execute a program with a specific username, let's say, userA.

I used php exec() function to call sudo -Eu userA command_to_run_program, it did not work because of some security features or environment variables missing on Ubuntu.

So I'm thinking if this alternative way can be achieved:

From the back-end, there is a shell script with a fixed Pid running and waiting for signals. If this process receives a specific signal, it would execute the program. Let's say I manually started this shell script with userA. So I assume when it receives the signal and execute the program, the program is executed with userA.

And there is a apache server with PHP on this machine. The front-end user goes the PHP page and the php program sends the signal to the running shell script, awake the shell script and thus the program is executed by userA.

If it can be achieved, what is the best practice to do so?

Thanks for your help!

Shiqi Zhong
  • 41
  • 7
  • Best practice is probably to solve the environment variables or security features rather than build a complicated mess of signals and helpers! – Mark Setchell Mar 02 '16 at 17:17
  • Related: https://stackoverflow.com/questions/10976915/bash-script-execution-from-php-and-instantaneous-output-back-to-webpage – Jesse Nickles Jul 24 '22 at 20:36

1 Answers1

0

In other words, you need some kind of privilege escalation from the user account of the webserver to a (specific?) different user. This has security implications, but I assume that you have considered the possibilities.

Anyhow, following steps should work:

  • Create a program (albeit just a shell script) that runs the according code.
  • Put the program into a place where the webserver can access it.
  • Make the target user the owner of the program and set the SUID bit. That way, executing it will cause it to run under the user's account.
  • Make the webserver group the group of the program and only allow it (not other users) to run the program via the executable bit.

See the manpages of chown and chmod for further info.

Ulrich Eckhardt
  • 16,572
  • 3
  • 28
  • 55
  • Thanks for your reply. Can you explain why "Make the target user the owner of the program and set the SUID bit." would "That way, executing it will cause it to run under the user's account." ? – Shiqi Zhong Mar 02 '16 at 19:43
  • Check out https://duckduckgo.com/?q=file+owner+chown and https://duckduckgo.com/?q=suid+bit+chmod. – Ulrich Eckhardt Mar 02 '16 at 19:45
  • For example, put "whoami" into a shell script. It won't always output the owner of the shell, instead, it prints the user who executed this shell script. – Shiqi Zhong Mar 02 '16 at 19:46
  • I read the articles and still not clear how to do that. Could you please give a example? The webserver's usr/group is www-data:www-data. The shell script's usr/group is userA:userA. The command inside the shell script can only be run with userA. So how to set the SUID for the shell script so that the webserver could execute that with userA permission? Thanks! – Shiqi Zhong Mar 02 '16 at 20:00
  • Take the whoami example. If I add the u+s to the whoami program, then it would print the username of the program owner. But if I put the whoami into a shell script and do the u+s, if won't print the username of the shell script owner.. – Shiqi Zhong Mar 02 '16 at 20:10