SUID issues with PHP + Apache

Ok, not sure what I am missing here. I'm trying to rename some files with a web accessible PHP script, without giving world write permissions on those files. So I'm trying to use SUID on a PHP script (also tried a shell script).

There are three users which come into play, we'll call them APACHE, MATT, and BRIAN. There is also a group calle开发者_C百科d WEBDEV, which MATT and BRIAN are in. There are two files which need to be renamed. One is owned by MATT, the other by BRIAN. Both files group owner is WEBDEV.

-rw-rw-r-- 1 MATT  WEBDEV 126179 Jun 20 12:03 g5g55.jpg
-rw-rw-r-- 1 BRIAN WEBDEV  41588 Jul 14  2006 g2g22.jpg

So my PHP script to be accessed in browser, called rename.php, runs as APACHE. It cannot rename either of these files. Naturally. So the first thing I tried, which I didn't assume would work anyways, was to SUID the PHP script as MATT.

su MATT
chmod u+s /path/to/rename.php //also tried g+s

As I expected, no dice. So I wrote a 2nd script, called move.php.

#!/usr/bin/php
//code to move file

Then SUID that script.

su MATT
chmod u+s /path/to/move.php //also tried g+s

Then from the original web accessed script, rename.php, I call:

shell_exec('/path/to/move.php');

I had higher hopes for this one, no dice again. So I figure it's not working due to the PHP interpreter or Apache again. Now I try the same thing, but with a new shell script called move.sh being exec'd from rename.php.

#!/bin/bash
//code to move file

And again it doesn't work. If I exec the files move.php or move.sh from the shell as MATT, it works fine. Not sure why this isn't working, or how I can make it work with SUID, rather than using sudo or setting up some sort of que that could be called from the properly privileged user's cron. What is the best way to handle this? Thanks in advance.

UPDATE

Got it figured out for anyone who stumbles on this later. SUID doesn't work for shell scripts on my distro (or most for that matter). Any subsequent commands called from a shell script will be run as the original user who launched it, not the user who set the SUID bit. This applies for PHP and any exec calls you make too, you'd have to set the SUID bit on /usr/bin/php, which is obviously a very bad idea. Or you can wrap your shell script in a C binary using a system call. I'm going to use SUDO.

Related info: https://serverfault.com/questions/282835/apache-mod-php-ignores-suid

Have all 3 users belong in the group WEBDEV, and then change all files to be owned by APACHE, group WEBDEV:

// From your project topmost directory:
chown -R APACHE:WEBDEV . 

Give group read write access to this directory, and everything inside of it (-R = recursive)

chmod -R g+rw .

As you can see, 'nux permission schemes are very flexible and take a little bit of head-banging to get used to. Many more juicy examples here.