How to run a program as root.
When a form is submitted from the web, I want to run a program on my linux server to process the submitted data.
Unfortunately, that program must be run as root, but my web server only runs under the user apache. How do I temporarily switch to root just to run the program in question? Thx. |
Code:
su -c "program" |
You should be aware that processing web forms with a program that has root privileges is very insecure. There's probably a better way to accomplish what you want. If you'd explain what you want to do, I'm sure someone would find a more secure way to set things up.
Regards, Lotharster |
Quote:
|
Quote:
I guess I can just test it out and see what happens. |
Yes, it does require a password.
No, you didn't specify that passwordless login was required. The idea that an anonymous web user has access to a root account any point is just asking for ownage, sorry. |
Quote:
Let's say the command to add a new email address is: {mail server home}/bin/vadduser web_data where web_data is the email address submitted from the web. What's the worse that could happen? |
Quote:
|
What I#d do is set up sudo. You can specify that the apache user may only execute certain commands as root, and can even configure passwordless access.
|
I would suggest not trying to reinvent a (flawed from the start) wheel but look into existing SW. It saves you headaches and prolly a server and in return you also get a (hopefully) tried and tested tool, support, etc, etc. There must be packages for just doing that on Freshmeat and Sourceforge.
|
What about chrooting the apache environment, and let apache run as root.
Or even better setup your mail system to run as the apache user (or some other non privileged user)? I have no idea of what mail system you're using, but that's probably the way I would have tried to solve it... |
I see your point here. However, newaccount ; /usr/bin/rm -rf / clearly won't be acceptable as an email address. An email address has a narrow definition of acceptable characters.
So, while your point is good in general, in my particular case, it doesn't apply. So, once again, I ask: If I run as root {mail server home}/bin/vadduser web_data where web_data is the email address submitted from the web. What's the worse that could happen? |
Quote:
|
Quote:
|
Here is what I did finally:
I edited /etc/sudoers file # visudo and added the line: apache ALL=(root) NOPASSWD: {mail server home}/bin/vadduser So now in my PHP script, I can do: sudo -u root {mail server home}/bin/vadduser web_data At least now only the program vadduser can be run as root by apache. Is this still risky? Better ideas welcome. |
All times are GMT -5. The time now is 08:29 AM. |