how to run cmd as root from apache (centOS)?

牧云@^-^@ 提交于 2019-12-23 04:43:35

问题


I'm trying to run the "useradd" command in CENTOS but I can't because I need root permissions.

In my php_info(); I have '--disable-posix'. I have tried to re-install my PHP, and tried to enable the posix with yum and more options, but no luck.

Can someone help me to make the posix enable or some other solutions? I notice that posix_getuid(); is working, but posix_setuid(); is not.

Any solution?

All I need to insert useradd into passwd(root) command by "user click". What is the best and most secure way to do this?

Thanks a lot!

Koren Or


回答1:


You want to read the suEXEC documentation: http://httpd.apache.org/docs/2.2/suexec.html Then rethink how your application work and figure out a better/safer way.




回答2:


You could use sudo for doing this. run visudo and put something like

apache ALL = (ALL) NOPASSWD: /usr/sbin/useradd

Actually if you have SELINUX enforced it will not work, and instead of using useradd I would recommand writing a wrapper script which sets properly the environment and does sanity checks before running useradd




回答3:


I'd suggest to write a shell script which will call useradd via sudo.

You can add specific commands for specific users to /etc/sudoers (edited by visudo command)

Should be something like this:

Cmnd_Alias USERADD = /bin/sbin/useradd *

apache ALL=(USERADD) NOPASSWD:USERADD

calling useradd:

sudo /usr/sbin/useradd USERNAME

Do not forget to validate your input in both php script and shell script.




回答4:


Sudo could be a quick hack to implement this quickly, but it is hard to secure and there are pitfalls even for the experienced unix guru.

A different way is to write your own server daemon, running as root, listening to a local unix domain socket, or a named pipe, or simply to look for files in a certain protected directory. Then message this daemon from your php script with the user name to add. Implement only the bare minimum application functionality in this daemon, and everything else in php. But do strong input checks in your daemon, sanitize your environment, etc, to be really sure it is the php app calling, not someone else.




回答5:


Sudo needs to be run interactively (it expects a password)

You shouldn't be granting root access in any way to the web server.

Suexec is an alternative, but you could also just have the web script write to a file and have a cron job that parses the file and processes the commands



来源:https://stackoverflow.com/questions/7300299/how-to-run-cmd-as-root-from-apache-centos

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!