0

This is a Ubuntu system and I need the PHP to execute a program with a specific username, let's say, userA.

I used php exec() function to call sudo -Eu userA command_to_run_program, it did not work because of some security features or environment variables missing on Ubuntu.

So I'm thinking if this alternative way can be achieved:

From the back-end, there is a shell script with a fixed Pid running and waiting for signals. If this process receives a specific signal, it would execute the program. Let's say I manually started this shell script with userA. So I assume when it receives the signal and execute the program, the program is executed with userA.

And there is a apache server with PHP on this machine. The front-end user goes the PHP page and the php program sends the signal to the running shell script, awake the shell script and thus the program is executed by userA.

If it can be achieved, what is the best practice to do so?

Thanks for your help!

Improve this question
2
  • Best practice is probably to solve the environment variables or security features rather than build a complicated mess of signals and helpers! Commented Mar 2, 2016 at 17:17
  • Related: stackoverflow.com/questions/10976915/… Commented Jul 24, 2022 at 20:36

1 Answer 1

Reset to default
0

In other words, you need some kind of privilege escalation from the user account of the webserver to a (specific?) different user. This has security implications, but I assume that you have considered the possibilities.

Anyhow, following steps should work:

  • Create a program (albeit just a shell script) that runs the according code.
  • Put the program into a place where the webserver can access it.
  • Make the target user the owner of the program and set the SUID bit. That way, executing it will cause it to run under the user's account.
  • Make the webserver group the group of the program and only allow it (not other users) to run the program via the executable bit.

See the manpages of chown and chmod for further info.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks for your reply. Can you explain why "Make the target user the owner of the program and set the SUID bit." would "That way, executing it will cause it to run under the user's account." ?
Check out duckduckgo.com/?q=file+owner+chown and duckduckgo.com/?q=suid+bit+chmod.
For example, put "whoami" into a shell script. It won't always output the owner of the shell, instead, it prints the user who executed this shell script.
I read the articles and still not clear how to do that. Could you please give a example? The webserver's usr/group is www-data:www-data. The shell script's usr/group is userA:userA. The command inside the shell script can only be run with userA. So how to set the SUID for the shell script so that the webserver could execute that with userA permission? Thanks!
Take the whoami example. If I add the u+s to the whoami program, then it would print the username of the program owner. But if I put the whoami into a shell script and do the u+s, if won't print the username of the shell script owner..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.