How can I ensure a user can not run a PHP script and that it is only ever run as part of a cron job?
+9
A:
You can set an environment variable in your crontab. A line like IS_CRON=1 can be placed at the beginning of your crontab, then check in your php program for get_env("IS_CRON") == 1.
Of course, you should also use file permissions as they're not so easily bypassed. If this is run as part of root's cron, chown root:root yourscript.php and chown 700 yourscript.php.
As ircmaxell says, it'd be better to run as a user other than root assuming you don't need root permissions for what you're doing. I was just taking a guess about your setup.
bemace
2010-10-29 17:37:50
This looks like a perfect solution... I am bit new to cron jobs... how would I set the IS_CRON=1 part?
Starlin
2010-10-29 17:40:15
@Starlin, just put that line at the beginning of your crontab file
bemace
2010-10-29 17:42:08
A user can set environment variables too.
Wooble
2010-10-29 17:44:52
@Wooble that why I mentioned file permissions as well. With those file permissions, only root can run it. The environment variable will prevent accidentally running it. If someone else with root access wants to run it intentially it's a moot point, because they could always modify the code themselves.
bemace
2010-10-29 17:48:07
True, but you could also set it as any other user that you wish (so it's not a security concern)... Then the only people who could access it are those with that user's password or root... Running it as root lets any compromise (or malevolent coder) have full run over your server... Don't hand away root access, make them work for it...
ircmaxell
2010-10-29 17:53:21
+1
A:
I would suggest setting an environment variable within your crontab and then checking for this within your PHP script
seengee
2010-10-29 17:38:02
@seengee: Wasn't mine, but I'd say "for security by obscurity". While your suggestion would prevent *accidental* execution, one peek into the script will tell anyone which environment variable needs to be set (similar to a sign "please don't run manually"). The answers with "set up a separate user for cronjobs and only allow that user access and execution of the script" address the root of the problem (similar to a lock which can only be unlocked by the specific user).
Piskvor
2010-10-30 08:24:35
+3
A:
There are probably a number of ways to do this. Off the top of my head, I would say that placing it in a directory owned by root, and only readable by root might get close to achieving the effect you are looking for.
Are there any processes you are looking specifically to restrict it from? If so, using permissions, make it not readable to any of those processes.
Hersheezy
2010-10-29 17:41:37
A:
Create a user for cron jobs, and set permissions of the script so it can only be run as this user. Of course you then need to put the script in that user's crontab, which you can do by logging in as that user and running crontab. Just don't give that user's password to just any other user...
At first I was also thinking of setting an environment variable which would prevent running this script from the web... But just not putting the script in the space where the web server looks for pages for websites, would do the same.
And nothing is stopping a random user from first setting the environment variable and then running the script.
bart
2010-10-29 18:16:38