How to run cmd as root from apache (centOS)?

Question

How to run cmd as root from apache (centOS)?

I am trying to run the useradd command on CENTOS, but I cannot, because I need root privileges.

In my php_info(); I have a --disable-posix. I tried reinstalling my PHP and tried to enable posix with yum and other parameters, but no luck.

Can someone help me make posix setup or some other solutions? I notice that posix_getuid(); works, but posix_setuid(); is not.

Any solution?

All I need to do is useradd in the passwd (root) command with a "user click". What is the best and safest way to do this?

Thanks a lot!

Koren Or

0

unix php root centos setuid

user692601 Sep 04 '11 at 15:39

source share

5 answers

Krunch · Answer 1 · 2011-09-04T15:47:48+0000

You want to read the suEXEC documentation: http://httpd.apache.org/docs/2.2/suexec.html Then rethink how your application works and find out which is better / safer.

OlivierS · Answer 2 · 2011-09-04T15:57:10+0000

You can use sudo for this. run visudo and put something like

 apache ALL = (ALL) NOPASSWD: /usr/sbin/useradd

In fact, if you have SELINUX installed, this will not work, and instead of using useradd, I would recommend writing a wrapper script that correctly installs the environment and does performance checks before running useradd

Dmitry Alexeyev · Answer 3 · 2011-09-04T15:57:37+0000

I would suggest writing a shell script that will call useradd via sudo.

You can add specific commands for specific users to / etc / sudoers (edited by visudo)

There should be something like this:

Cmnd_Alias USERADD = /bin/sbin/useradd *

apache ALL=(USERADD) NOPASSWD:USERADD

call useradd:

sudo /usr/sbin/useradd USERNAME

Remember to confirm your entry in both the php script and the shell script.

Jürgen strobel · Answer 4 · 2011-09-04T21:50:21+0000

Sudo can be a quick hack to implement it quickly, but it's hard to defend, and there are problems even for an experienced unix guru.

Another way is to create your own daemon server running as root, listen to the local unix domain socket or named pipe, or simply search for files in a specific protected directory. Then report this daemon from your php script with the username to add. Implement only the minimum functionality of the application in this daemon and everything else in php. But do strong input checks on your daemon, sanitize your environment, etc., to be sure that this is a php app and not someone else.

Foo bah · Answer 5 · 2011-09-04T16:14:45+0000

The sudo needs to be run interactively (it expects a password)

You should not provide root access in any way to the web server.

Suexec is an alternative, but you can also just create a script on the network to write to a file and run a cron job that parses the file and processes the commands

How to run cmd as root from apache (centOS)?

More articles: