views:

920

answers:

5

I'm trying to build a firewall manager in PHP, but when I execute, <?php exec('iptables -L'); ?>, the result array is empty.

I have tried, <?php echo exec('whoami'); ?>, and the response is www-data (the user that Apache is using). What can I do to execute the exec function as root? (Preferably without changing the Apache user.)

A: 

Just an assumption - Is this a PHP web app that will do this? This doesn't sound too safe. The app that needs root - could you build that separately and then invoke it from PHP? If not, maybe you can sudo the process so it can run as root.

FrustratedWithFormsDesigner
+1  A: 

Unless you use suphp and configure it to run as root you wont be able to run any PHP script on behalf of any other system user besides who is running PHP.

Edit:

Just an small idea. Add a queue process in some way and run a cron process in the root's crontab.

Please please be really careful about this. Any injection can literally destroy the system.

Gabriel Sosa
+13  A: 

Don't do it! You will leave yourself wide open to all sorts of malicious hackery.

Have a look at the "sudo" documentation.

You should be able to set up all the commands you need as "sudo"able scripts. It is much better to write specific scripts with limited functions than to expose the underlying priviledged command.

As in:

exec ('sudo getIpTables.ksh')
James Anderson
you can limit sudo functions.
LiraNuna
Sudo is the solution I used when faced with a similar problem. These SO questions served as useful references: http://stackoverflow.com/questions/113728/php-webpage-doesnt-launch-unix-command-even-after-updated-sudoershttp://stackoverflow.com/questions/349884/how-do-i-programatically-restart-a-system-servicenot-apache-from-apache-in-linu
Frank Farmer
+1 sudo is the way to go
ammoQ
Ok, I will study about 'sudo' :DThanks.
gobr
+2  A: 

This is very unsafe and a bad idea. Rethink your design. If you really want to do this use sudo as advised. An alternative solution might be to go ahead and run as root but do so inside a chroot or a vm image (both of which can be broken out of but still).

Or best of all run as sudo inside a chroot!

Collin
A: 

You can put the required commands in a separate script/executable file (sh, PHP, a real executable, doesn't matter), change its owner to root, and apply "setuid" to it.

This will allow anything and anyone to run this script as root, so you need to make sure that it has it's own security rules for seeing if this is allowed, and is very restricted in what it does.

Bart van Heukelom