14

Is it possible to run exec() as a a different user (on my box it runs as www-data). I wish to execute a script that needs access to files that are not owned by www-data.

alex
  • 479,566
  • 201
  • 878
  • 984
mrwooster
  • 23,789
  • 12
  • 38
  • 48

4 Answers4

6

If you have access to the server's configuration (assuming it's Apache), you might consider using suPHP. In a virtual host's configuration you can explicitly set the user and group for which a PHP script is executed:

<VirtualHost 192.168.1.1:80>
...
suPHP_UserGroup user group
...
</VirtualHost>

This setting is available for suPHP configurations built with the --with-setid-mode=paranoid option.

Another way to change the user ID would be posix_setuid() for which appropriate privileges are required. That would mean running your PHP scripts as root, which is a serios security issue.

Community
  • 1
  • 1
Linus Kleen
  • 33,871
  • 11
  • 91
  • 99
4

I had a similar requirement some years ago that required a few PHP scripts to talk to a serial port. The first serial port is typically /dev/ttyS0, owned by root and in the group dialout.

For my initial setup, I added my apache user to the group dialout. The PHP scripts were able to directly talk to the serial port with no problem. However, only one instance of a script could open the serial port at any one time, so this solution could not work.

I then created a daemon that provided a layer between the serial port and the PHP scripts. The PHP scripts would talk to the daemon via a named pipe, and the daemon would then format the requests and pass it onto the serial port - doing a bit of caching along the way.

So, either add www-data, or whatever your apache user is, to the group that owns those files, giving group execution permissions, or use a proxy like I had. If security concerns you, then I'd go with the latter.

Nicolas
  • 1,106
  • 11
  • 25
1

No, not directly. If you are on a linux machine and have the rights, you can set the set the setuid bit on your file.

Keep in mind that the webserver runs as a different user for a reason. It is a very important security mechanism and by working around it, you might cause a security vulnerability.

Daniel Hepper
  • 28,981
  • 10
  • 72
  • 75
0

You can change the user under which your server runs. This can be easily done using the windows version of apache (apache runs there as service and it is easy to configure the user under which apache runs).

Which server plattform do you use?

alex
  • 479,566
  • 201
  • 878
  • 984
Thariama
  • 50,002
  • 13
  • 138
  • 166
  • Am using ubuntu lucid. I dont want to change the user under which apache runs as this would be a security risk, but I have created some back end apps which require access to files not owned by www-data. What about going along the lines of creating a group that contains www-data and the owner of the files? – mrwooster Jan 17 '11 at 09:32
  • that would be an other option that would work. changing the apache user is only a security risk if yozu assign a user with high level permissions (like root) – Thariama Jan 17 '11 at 09:46