Root priveliges with PHP
 

If I want to execute the following script:

<html>
<?
$command = shell_exec( '/usr/sbin/adduser 2>&1');
echo "<pre>$command</pre>";
?>


</html>

I get the following output:
adduser: Only root may add a user or group to the system.

So what are the possible solutions to this problem, note however that I do not want to sudo the adduser command since I have about 20 commands that I will have to execute in a similar fashion ,SUDOing them would be silly.....or not >??

well, apache (or whatever server you are using) is what runs PHP, and apache runs as user nobody, so it's executing your commands as "nobody".

I wouldn't use sudo, because that would mean putting your root password into a PHP script viewable by all other users on your server.

Is it just you on the server, or a lot of people? The problem is that if you allow php to run commands as root without authentication, anyone else can do the same.

An insanely insecure way of doing it would be to make apache run as root, but that would mean that if someone found a hole in apache, instead of being able to run commands as "nobody", they could run them as root, which is a lot more dangerous.

I'll think about it, but I don't see a way round it atm. here are some alternatives:

If you just want an online login system, but were thinking of using real accounts for this, I would recommend doing it in mySQL.
If you're making a remote admin system for your linux box, I would reccomend installing webmin, which runs it's own server on port 10000, and works well.

Actually, using sudo works fine and doesn't expose the root password at all. Simply add the user Apache is running as, often www-data, to your sudoers file and with the commands you wish this user to execute. You can set it so there is no password prompt, depending on what commands you are executing this might not be a good idea though. Check out http://www.courtesan.com/sudo/ for more info.

You would want to be doing every possible check under the sun on any text input that gets thrown into a string that has sudo at the front. Care to let us know why you want to use a PHP script to add a user on your machine? We might be able to think of a better way of doing this that'll keep you safe and still happy :)

Actually I got this one figured out..........hm lets say that I will graduate this year from uni. in IT...and I got into a training program in a company and to prove myself they want me to create a "FULL" webinterface for their modified debian box that they sell to their clients.
I do not know php and my linux knowledge is that of an experienced user.
Anyhow I learned php and Iam trying to link php with linux at the time being...the biggest problem is that of setting "who is allowed to what "

To fouldsy ...can you give me an example please or just check hte line below:

Add a line to /etc/sudoers

[in /etc/sudoers]
www ALL=(ALL) NOPASSWD: /sbin/useradd

An example from one of my boxes isAs mentioned before though, and also pointed out by cs-cam, whether you'd want to do this with passing a string based on what user enters is highly debatable. I use sudo to restart DansGuardian + Squid on my boxes, that's about - it's code into the script and so doesn't accept any parameters from the user. I think I'd be a bit unsure about letting people type their own input to pass to my box, even with something basic like useradd

Just one more dummy question in the line
Cmnd_Alias DG=/etc/init.d/dansguardian


What should I insert instead of dansguardian.... or to put it in another way what does dansguardian refer to ??

sorry for the dumb question I checked it and Ive got it figured out

Cmnd_Alias sets up an alias to your command. For add user, you could do "Cmnd_Alias AU=/usr/bin/useradd". It simply means when you declare the commands your user is able to run as root, you use the alias rather than the full command incase you need to provide extra commands to run as root. In my example, DansGuardian is a content filtering system, hence DG as the alias and the path to the DansGuardian control script.

Maybe they're testing your initiative. Tell them to apt-get install webmin :p

Another problem here is now if someone uses a vulnerable PHP or CGI script to get a shell as the www user they can not use adduser to create an account with UID 0 and give themselves root on your box. This is not good. I once had to do something kind of like this, and what I did was have the apache user call a suid executable (accessibly on to apache) that I had written in C that actually added the user. This wrapper program checked that we weren't trying to add a superuser or other system user. This way also makes it unnecessary to do anything with sudo.

As others have said, be very very careful with stuff like this. Simple mistakes can allow anybody surfing by on the net to break into your system.

Actually, there will be no access through the Internet ... it is an intranet application...concerning webmin he does not like it for whatever reason....concerning security I will surely check everything twice at least....and the www-data is only like this for hte time being I will change that in the end....
P.S did anyone of you guys hear of suExec ?

suExec is mainly for CGI scripts. Does the same kinda thing as sudo through a PHP interface. Check out http://httpd.apache.org/docs/1.3/suexec.html for more info.

To Fouldsy

I edited my visudoers file as follows---is this right--:

# Host alias specification

# User alias specification
User_Alias OWNER = www-data
# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL
OWNER ALL= NOPASSWD: ALL


###because when I try to execute reboot..the system responds with "must be superuser"