[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-general
Subject:    Re: [PHP] Getting root privs
From:       Ashley Sheridan <ash () ashleysheridan ! co ! uk>
Date:       2010-04-30 14:55:26
Message-ID: 1272639326.2752.52.camel () localhost
[Download RAW message or body]


On Fri, 2010-04-30 at 20:23 +0530, Nilesh Govindarajan wrote:

> On 04/30/2010 08:12 PM, Ashley Sheridan wrote:
> > On Fri, 2010-04-30 at 10:40 -0400, Paul M Foster wrote:
> >
> >> On Fri, Apr 30, 2010 at 12:11:17PM +0530, Nilesh Govindarajan wrote:
> >>
> >>> On 04/30/2010 11:26 AM, Jim Lucas wrote:
> >>>> Nilesh Govindarajan wrote:
> >>>>> Hi,
> >>>>>
> >>>>> As you know there are lot of control panels lying around like Cpanel,
> >>>>> Lxadmin, most of them based on PHP. The control panels allow editing of
> >>>>> system files which requires root privileges, can somebody tell me how to
> >>>>> gain root privileges inside the script so that it can be useful if I
> >>>>> want to give my users a DNS editing interface instead of loading a big
> >>>>> bloated control panel.
> >>>>>
> >>>>
> >>>> We use an interface that writes everything to a DB. Then, every 5
> >>> minutes, a
> >>>> cron job comes around and dumps the db and builds the zone files for us.
> >>>>
> >>>> Might try something similar.  It would be a lot safer then giving
> >>> root access
> >>>> via PHP... :)
> >>>>
> >>>
> >>> Hmm that's a great idea. But my question is in general, suppose I get
> >>> some freelance job to write a control panel for managing httpd, etc.
> >>>
> >>> Same procedure can be used ? I think so ?
> >>
> >> If you can find an open source control panel (like webmin), you could
> >> download the code and examine it.
> >>
> >> Paul
> >>
> >> --
> >> Paul M. Foster
> >>
> >
> >
> > You could use exce() to run a sudo command (piping the password through
> > to it or add the apache user into the sudoers list) to run things at the
> > root level. You must be very very careful with this though, and only use
> > it as a last resort if you absolutely have to, as any sort of
> > vulnerability in your script could compromise your entire server.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
> 
> That was what my basic idea about implementing it, but just put up a 
> discussion here to see if there is really any other method except sudo- 
> and there is that cron one as suggested by Jim Lucas.
> 
> -- 
> Nilesh Govindarajan
> Site & Server Administrator
> www.itech7.com
> मेरा भारत महान !
> मम भारत: महत्तम भवतु !
> 


To make things a little bit more secure when using exec() you could call
a series of custom Bash scripts which you can have set up to only accept
certain ranges of parameters, which would avoid someone passing a string
like "&& nasty_command here" to the command line.

Thanks,
Ash
http://www.ashleysheridan.co.uk




[prev in list] [next in list] [prev in thread] [next in thread]