write a PHP code to run some command as ROOT ???

tritong · 02-16-2006, 09:44 PM

I'm trying to write PHP code to run shel command, but there're some command I used must be run AS ROOT.
For example:

Code:

shell_exec("ifconfig eth0 down");

I know the problem is the user apache hasn't root privileges to run it.
Is there any solution ??
Help me.

arsham · 02-16-2006, 10:06 PM

You can make a daemon that runs under root previlege and waits for a connection from localhost , then run the raw command
this by itself is a security hole

tritong · 02-17-2006, 12:53 AM

Thanks, but is there another way that's more secure than make a daemon?

arsham · 02-17-2006, 01:06 AM

you can sit behind xinetd , most of daemons do like this
see man pages for inetd and xinetd
but still I'm not sure about security
I will search for this and will let you know if I find any solution , but keep searching

Regards
Arsham

tritong · 02-17-2006, 04:30 AM

Thank you Arsham.
I think I can make it a daemon and wait for connection to run sepecific commands but password is required. And the web UI must also need username and password to access it. I may try to secure them by SSL.
But I feel this solution is unsafe. So if there is better solution, please tell me soon.

arsham · 02-17-2006, 10:07 AM

Kernel doesn't let you to post the root password , I mean you have to sit in front of the computer or ssh/telnet it and open a shell to login as root
you must limit the access of the daemon to localhost , for reson of security

Regards

95se · 02-17-2006, 10:18 AM

Perhaps this would work... Write a script/program to run the command for you, set the owner to root and as root run chmod 4755 on it. This makes it run as the user who created it, i.e. root.

graemef · 02-17-2006, 10:35 AM

If you know what the commands are you could set them up in a sudoers file, and then get php to call the command via sudo.

tritong · 02-22-2006, 01:41 AM

I wrote a C program like this (for test only)

Code:

/* test.c */
#include <sys/types.h>

#include <stdio.h>
#include <pwd.h>
#include <unistd.h>
#include <assert.h>
#include <errno.h>
#include <string.h> 

static char* usage="Usage: %s <command> [option] \n";

int err(char *, int);

int main(int argc, char* argv[])
{	
	int max=0,
	    check=0;

	if(argc<2)
	{
		printf(usage, argv[0]);
		return 1;
	}
	
	check = seteuid(0);
	if(check)
		return err("Set UID", 1);
	check = setegid(0);
	if(check)
		return err("Set GID", 1);

	if(argc>2)
	{
		max = argc;
		char *argl[max-1];
		
		int i, j=0;
		for(i=1; i<max;i++)
		{
			argl[j] = malloc(strlen(argv[i]));
			argl[j] = argv[i];
			j++;
		}
		argl[j] = NULL;

		check = execvp(argv[1], argl);
		if(check)
			return err("Run command", 1);
		
		return 0;
	}
	/*else: agrc=2*/
	char *argl[1];
	argl[0] = argv[1];
	argl[1] = NULL;
	check = execvp(argv[1], argl);
	if(check)
		return err("Run command", 1);
return 0;
}

int err(char* mess, int exitCode)
{
	perror(mess);
	return exitCode;
}

Compile it:

Code:

$gcc -o test test.c

Then, I change permission for it (as root):

Code:

$chmod +s test

Then I change to another user right and type

Code:

$test ifconfig eth0 down

It work OK.
But when I run it by PHP

Code:

<?php
shell_exec("test ifconfig eth0 up");
?>

I does nothing ???
Why???

tritong · 02-22-2006, 02:14 AM

I added apache user to the sudoers too but it's no use!!!

Code:

%apache         ALL=(ALL)       NOPASSWD: ALL

arsham · 02-22-2006, 03:15 AM

buddy
in your program , listen to a port , then after recieve the proper command , run the command via your daemon ( whick has root access )

then via PHP open a socket and send your command to the program which is listening

regards

tritong · 02-22-2006, 08:46 PM

I'm doing what you said.
Thanks bro

german · 02-22-2006, 10:04 PM

it's a good thing nobody in this forum knows how to find tritong's webapp on the internet... it would be pwned in about 3 seconds

tritong · 02-22-2006, 10:48 PM

This web application is for testing purpose only. So, I'm not afraid of hacking.