Date: Tue, 01 Oct 2013 15:39:53 +0200 From: "Ronald Klop" <ronald-freebsd8@klop.yi.org> To: freebsd-stable@freebsd.org Subject: Re: Running a script via PHP Message-ID: <op.w392wrwc8527sy@212-182-167-131.ip.telfort.nl> In-Reply-To: <58E65D87-C41C-4777-9EAA-005CE3506B6A@mac.com> References: <CA%2BAz77MKoQZRdtiiHX3_88A9PJaxJC0vwHebie%2BwgdsWNNpn3g@mail.gmail.com> <58E65D87-C41C-4777-9EAA-005CE3506B6A@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 27 Sep 2013 23:50:02 +0200, Charles Swiger <cswiger@mac.com> wrote: > Hi-- > > On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek@gmail.com> > wrote: >> Hello there, >> It's quite off-topic, but I'm using freebsd-stable,so >> >> The priblem is - running a script that requires root privileges via PHP >> (or >> probably CGI - I do not care, just want it to be secure and working). > > Unfortunately the combination of PHP, doing something which needs root, > and > security are inherently contradictory. > > The least risky approach would be to invoke the needed command via sudo, > or > possibly a small setuid-root C wrapper program which launches only the > needed script > with root permissions. Use sudo unless your C wrapper is careful enough > to use > exec() and not system(), sanitizes $PATH and other env variables, and > guards against > games with $IFS, shell metachars, and such. > > Regards, Use sudo, because your home grown C wrapper will make all the mistakes which are already solved in sudo. Or will be spotted in the future in sudo and will never be spotted in your program. Chances are high that future requirements of your C wrapper will turn it in a little sudo. Ronald.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.w392wrwc8527sy>