tags:

views:

897

answers:

3
Q: 

PHP shell_exec() and sudo: must be setuid root

I have a shell_exec() command that accesses a directory above my document root so I need to use sudo "as root" to make it happen. (I understand the security issues and am putitng in measures to address it).

The issue is when I run the shell_exec() I get a "sudo: must be setuid root" error in my apache error_log file.

I thought the solution was to chmod 4750 the bash script that is called by my sheel_exec() but that does not do the job.

What exactly is "sudo: must be setuid root" trying to tell me and how might I resolve it?

A: 

Did you check the permissions for your script?

Who is owning the script?

Does the web user has the rights to sudo?

Roberto Aloi  2010-02-09 16:14:59
Here are the permissions for the files in question:<br /> <br />PHP Script run from browser<br />-rw-r--r-- 1 drd drd 339 Feb 9 11:09 test.php<br /> <br />BASH Script called from shell_exec()<br />-rwsr-x--- 1 root nobody 209 Feb 9 09:01 test.bash*<br /> <br />and here is the shell_exec() command<br />shell_exec('sudo -u root -S /home/drd/public_html/app/shell/test.bash < /home/drd/public_html/app/shell/temp-pswd.txt');<br /> <br />re: your question "Does the web user has the rig...?" are you referring to sudoers? My preference is not to alter the sudoers file but to use root.
Dr. DOT  2010-02-09 16:24:26
how do you get line breaks in comments in StackOverflow (using FF 3.6)?
Dr. DOT  2010-02-09 16:27:42
-rw-r--r-- 1 drd drd 339 Feb 9 11:09 test.php
Dr. DOT  2010-02-09 16:28:43
-rwsr-x--- 1 root nobody 209 Feb 9 09:01 test.bash*
Dr. DOT  2010-02-09 16:29:35
shell_exec('sudo -u root -S /home/drd/public_html/app/shell/test.bash < /home/drd/public_html/app/shell/temp-pswd.txt');
Dr. DOT  2010-02-09 16:29:53
+1  A: 

Is the sudo executable itself setuid root? You may need to 

chown root: /usr/bin/sudo
chmod u+s /usr/bin/sudo
eswald  2010-02-09 16:26:46
---x--x--x 2 root root 159752 Feb 13 2009 sudo*
Dr. DOT  2010-02-09 16:31:04
Yes, that could definitely be your problem. You might need `chmod a+r /usr/bin/sudo` in addition to the above, but the `u+s` line is definitely required.
eswald  2010-02-09 17:25:11
I want to avoid having to make server-side tweaks in order to get the script to run. The reason is that what I am building is intended to be rolled out to other servers through a 1-time install process. So I don't want to have to request server-side tweaks in order to get the script to work. If that has to be the case, then I can just as easily have a sys admin load the file as a pre-requisite to the install process being run. Bottom-line, trying to create something that is independent of the server config and is self-dependent.
Dr. DOT  2010-02-11 13:45:53
(continued from previous comment) So, out-of-the box if shell_exec() cannot run as root, then I would really like to know that so I don;t continue to spin my wheels or have hope that it can. I have seen this post (http://www.php.net/manual/en/function.shell-exec.php#68685) but I cannot get it to work on my server.Thanks
Dr. DOT  2010-02-11 13:46:23
`sudo` cannot operate without its setuid bit sed. If you expect *anything* on that server to sudo, then you need to repair it.
eswald  2010-02-11 16:10:14
+1  A: 

Alternatively, skip sudo altogether. If your script is owned by root and has its own setuid bit set, then you don't need to use sudo to get root privileges. In fact, it can be more secure that way; you guarantee that your web user can only use that script, without having to edit sudoers. To do so, remove sudo from your shell_exec() line:

<?php
    shell_exec('/path/to/your/command');
?>
eswald  2010-02-11 16:15:44
I have set the script to be owned by root. It seems that because the script is evoked or called by the browser, then "nobody" actually is the user running the script regardless of who linux thinks owns the file.
Dr. DOT  2010-02-12 16:17:09
eswald -- does this work for you on your server?
Dr. DOT  2010-02-16 14:29:49
I haven't yet encountered a situation where it has been necessary; in particular, accessing parent directories shouldn't need root privileges. Which server (and version) are you using?
eswald  2010-02-16 16:02:43

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases