how to run cmd as root from apache (centOS)?
I'm trying to run the "useradd" command in CENTOS but I can't because I need root permissions.
In my php开发者_如何学C_info();
I have '--disable-posix'. I have tried to re-install my PHP, and tried to enable the posix with yum and more options, but no luck.
Can someone help me to make the posix enable or some other solutions? I notice that posix_getuid();
is working, but posix_setuid();
is not.
Any solution?
All I need to insert useradd
into passwd(root) command by "user click". What is the best and most secure way to do this?
Thanks a lot!
Koren Or
You want to read the suEXEC documentation: http://httpd.apache.org/docs/2.2/suexec.html Then rethink how your application work and figure out a better/safer way.
You could use sudo
for doing this.
run visudo
and put something like
apache ALL = (ALL) NOPASSWD: /usr/sbin/useradd
Actually if you have SELINUX enforced it will not work, and instead of using useradd I would recommand writing a wrapper script which sets properly the environment and does sanity checks before running useradd
I'd suggest to write a shell script which will call useradd via sudo.
You can add specific commands for specific users to /etc/sudoers (edited by visudo command)
Should be something like this:
Cmnd_Alias USERADD = /bin/sbin/useradd *
apache ALL=(USERADD) NOPASSWD:USERADD
calling useradd:
sudo /usr/sbin/useradd USERNAME
Do not forget to validate your input in both php script and shell script.
Sudo could be a quick hack to implement this quickly, but it is hard to secure and there are pitfalls even for the experienced unix guru.
A different way is to write your own server daemon, running as root, listening to a local unix domain socket, or a named pipe, or simply to look for files in a certain protected directory. Then message this daemon from your php script with the user name to add. Implement only the bare minimum application functionality in this daemon, and everything else in php. But do strong input checks in your daemon, sanitize your environment, etc, to be really sure it is the php app calling, not someone else.
Sudo needs to be run interactively (it expects a password)
You shouldn't be granting root access in any way to the web server.
Suexec is an alternative, but you could also just have the web script write to a file and have a cron job that parses the file and processes the commands
精彩评论