Temporarily running PHP as root - GoFuckYourself.com

camperjohn64 · 04-29-2010, 04:11 PM

I want to run some PHP scripts to do some server setup and package install, but want to do it through a browser rather than through SSH.

Does anyone know how to temporarily run PHP as root?

- I tried running apache as root while I run the scripts, but it won't let me.
- I tried sudo from PHP, but it won't let me either.

Other ideas?

If I can't figure it out then I just have to SSH and do a php myscript.php --param1=foo -param2=bar, but I would prefer to do it thought a browser if possible.

CYF · 04-29-2010, 04:17 PM

don't run php/apache as root

u-Bob · 04-29-2010, 04:21 PM

bad idea.

fris · 04-29-2010, 04:23 PM

use ssh to run php from cmd line, dont run as root bad idea. like evryone else says

ProG · 04-29-2010, 04:27 PM

What does the script do? I'm positive there is an alternative to using root.

If you are really inclined to do so, just add the script path into your sudoers file and that will allow you to sudo when calling that script. Then you can create another PHP script to run via HTTP that uses something like exec('sudo php /script.php')

mikke · 04-29-2010, 04:33 PM

dont run apache as root..

Code:

#!/usr/bin/php -q
<?php
echo "hello world";
?>

save it, chown root:root, ./script.php

camperjohn64 · 04-29-2010, 04:33 PM

All the script does is create some folders, copy some files, install some new settings. I would just prefer to do it from a browser so I can see the results as I am setting them rather than command line.

Whatever I set up to run as root, I will undo once I install the new site.

I will try the sudoers file thing and see what I come up with.

nation-x · 04-29-2010, 04:39 PM

Quote:

Originally Posted by camperjohn64

All the script does is create some folders, copy some files, install some new settings. I would just prefer to do it from a browser so I can see the results as I am setting them rather than command line.

Whatever I set up to run as root, I will undo once I install the new site.

I will try the sudoers file thing and see what I come up with.

you shouldn't need to have php run as root to do that... are these files or folders that apache will have to work with? If so you can't do that anyway because apache won't have permission to access them.

seeandsee · 04-29-2010, 04:41 PM

Quote:

Originally Posted by CYF

don't run php/apache as root

agree

quantum-x · 04-29-2010, 04:51 PM

Set apache to be in the right group as the files / folders
or at worst, mod the folders to chmod 777

Don't run php as root

camperjohn64 · 04-29-2010, 05:04 PM

Maybe I should define the problem better:

Website A, has a settings file. I want to create a duplicate settings file, in another folder that User A can modify. That is all I need to do.

This settings file will be used by the website to know what database, what template to use, stuff like that, basic DEFINE's for the website. The website I am using to set the settings file may or may not be the one that uses the settings file.

- Apache is running as nobody.
- I want to use an interface to set up this new site
- Since Apache is nobody, I cannot create a new folder without logging into SSH as root manually and chmod'ing the base directory.
- Even when I do that, the settings file is created as nobody, and User A cannot modify it once it is created, since it is not usera:usera, it is nobody:nobody
- Therefore, I need to login to SSH, make the folder, touch the file, then chown the folder AND file...only then User A can modify the file. I need to do this for every settings file, and every new variation of the website I make. WTF?!

I don't care if Apache runs as root. For the 23 minutes it takes to set up the sites, a hacker is most welcome to come and do his worst. He has a 23 minute window - enjoy. I have to login as root anyway - so either I sudo with the root password or I SSH with the root password - it's not like it's insecure either way I need to know the root pass to accomplish the task.

quantum-x · 04-29-2010, 05:11 PM

Quote:

Originally Posted by camperjohn64

Maybe I should define the problem better:

Website A, has a settings file. I want to create a duplicate settings file, in another folder that User A can modify. That is all I need to do.

This settings file will be used by the website to know what database, what template to use, stuff like that, basic DEFINE's for the website. The website I am using to set the settings file may or may not be the one that uses the settings file.

- Apache is running as nobody.
- I want to use an interface to set up this new site
- Since Apache is nobody, I cannot create a new folder without logging into SSH as root manually and chmod'ing the base directory.
- Even when I do that, the settings file is created as nobody, and User A cannot modify it once it is created, since it is not usera:usera, it is nobody:nobody
- Therefore, I need to login to SSH, make the folder, touch the file, then chown the folder AND file...only then User A can modify the file. I need to do this for every settings file, and every new variation of the website I make. WTF?!

I don't care if Apache runs as root. For the 23 minutes it takes to set up the sites, a hacker is most welcome to come and do his worst. He has a 23 minute window - enjoy. I have to login as root anyway - so either I sudo with the root password or I SSH with the root password - it's not like it's insecure either way I need to know the root pass to accomplish the task.

If apache is running as nobody, then make a php script:

Code:

mkdir('path/to/dir');

It'll be made as nobdoy as well

CYF · 04-29-2010, 05:15 PM

Quote:

Originally Posted by camperjohn64

Maybe I should define the problem better:

Website A, has a settings file. I want to create a duplicate settings file, in another folder that User A can modify. That is all I need to do.

This settings file will be used by the website to know what database, what template to use, stuff like that, basic DEFINE's for the website. The website I am using to set the settings file may or may not be the one that uses the settings file.

- Apache is running as nobody.
- I want to use an interface to set up this new site
- Since Apache is nobody, I cannot create a new folder without logging into SSH as root manually and chmod'ing the base directory.
- Even when I do that, the settings file is created as nobody, and User A cannot modify it once it is created, since it is not usera:usera, it is nobody:nobody
- Therefore, I need to login to SSH, make the folder, touch the file, then chown the folder AND file...only then User A can modify the file. I need to do this for every settings file, and every new variation of the website I make. WTF?!

I don't care if Apache runs as root. For the 23 minutes it takes to set up the sites, a hacker is most welcome to come and do his worst. He has a 23 minute window - enjoy. I have to login as root anyway - so either I sudo with the root password or I SSH with the root password - it's not like it's insecure either way I need to know the root pass to accomplish the task.

In the time it took you to write that, you could have ssh'd to your server and ran the php script.

ProG · 04-29-2010, 05:22 PM

Quote:

Originally Posted by camperjohn64

Since Apache is nobody, I cannot create a new folder without logging into SSH as root manually and chmod'ing the base directory.

- Even when I do that, the settings file is created as nobody, and User A cannot modify it once it is created, since it is not usera:usera, it is nobody:nobody

You do realize that you can use PHP to chmod/chown/chgrp?

GrouchyAdmin · 04-29-2010, 05:27 PM

This thread makes my head hurt.

Wifey's World A.M. · 04-29-2010, 05:31 PM

You can have Apache upload and create files and directories as a certain user or group. So if you are SSH'ing in as a regular user, have Apache create the files or directories as that user. Or have Apache create those files or directories as a certain group. Then just make sure your SSH user is in that group.

Amputate Your Head · 04-29-2010, 05:38 PM

Quote:

Originally Posted by camperjohn64

Maybe I should define the problem better:

Website A, has a settings file. I want to create a duplicate settings file, in another folder that User A can modify. That is all I need to do.

This settings file will be used by the website to know what database, what template to use, stuff like that, basic DEFINE's for the website. The website I am using to set the settings file may or may not be the one that uses the settings file.

- Apache is running as nobody.
- I want to use an interface to set up this new site
- Since Apache is nobody, I cannot create a new folder without logging into SSH as root manually and chmod'ing the base directory.
- Even when I do that, the settings file is created as nobody, and User A cannot modify it once it is created, since it is not usera:usera, it is nobody:nobody
- Therefore, I need to login to SSH, make the folder, touch the file, then chown the folder AND file...only then User A can modify the file. I need to do this for every settings file, and every new variation of the website I make. WTF?!

I don't care if Apache runs as root. For the 23 minutes it takes to set up the sites, a hacker is most welcome to come and do his worst. He has a 23 minute window - enjoy. I have to login as root anyway - so either I sudo with the root password or I SSH with the root password - it's not like it's insecure either way I need to know the root pass to accomplish the task.

I get what you're saying.
I ran apache as root before under the same logic. And I would do it again.
But it's been so long since, I don't remember how the hell I did it.

Good luck.

jackknoff · 04-29-2010, 05:47 PM

I think that's sorta a bad idea, I would never run it as root

Spanx!
Jack

camperjohn64 · 04-29-2010, 09:40 PM

Quote:

Originally Posted by CYF

In the time it took you to write that, you could have ssh'd to your server and ran the php script.

Yes, I just don't want to SSH over and over and over...

..but I think I will have to....

nation-x · 04-30-2010, 04:47 AM

I think your problem is that your FTP login and apache are not in the same wheel group... I have seen this problem with some hosts... ask your host to do that for you and it will fix your problem.

camperjohn64 · 04-30-2010, 07:50 AM

Quote:

Originally Posted by nation-x

I think your problem is that your FTP login and apache are not in the same wheel group... I have seen this problem with some hosts... ask your host to do that for you and it will fix your problem.

I am the host. :-(

quantum-x · 04-30-2010, 08:03 AM

Quote:

Originally Posted by camperjohn64

I am the host. :-(

So much good advice in this thread... ignored.

camperjohn64 · 04-30-2010, 09:30 AM

cPanel and Webmin and others run as root. So this can't be that tough, or that insecure.

Can I tie a specific port like to 123.45.67.89:5000 to my php script and have it run as root there?

quantum-x · 04-30-2010, 10:24 AM

Quote:

Originally Posted by camperjohn64

cPanel and Webmin and others run as root. So this can't be that tough, or that insecure.

Can I tie a specific port like to 123.45.67.89:5000 to my php script and have it run as root there?

Why don't you just run it already and stop talking about it? ;)

BestXXXPorn · 04-30-2010, 10:46 AM

Quote:

Originally Posted by camperjohn64

cPanel and Webmin and others run as root. So this can't be that tough, or that insecure.

Can I tie a specific port like to 123.45.67.89:5000 to my php script and have it run as root there?

No, they do not run as root...

shell_exec('sudo -u root -S command_goes_here < /home/$User/dir/dir/dir/passfile');

There are a variety of methods...

You either need to chown the directory structure that is being changed by the script or use a method to execute shell commands as another user...

OR you could do something like.... build a mini secure webpage that is only accessible from SSL/443. All it would have is a single button. You click the button it executes your original script as root and returns the output to the mini script for display in the browser.

raymor · 04-30-2010, 10:49 AM

Quote:

Originally Posted by camperjohn64

- I tried running apache as root while I run the scripts, but it won't let me.
- I tried sudo from PHP, but it won't let me either.

There are reasons it won't let you, no matter how hard you try.
PHP, designed as a blog script but abused and treated as a programming language, is dangerous enough running as "nobody".

Quote:

Website A, has a settings file. I want to create a duplicate settings file, in another folder that User A can modify. That is all I need to do.

chgrp apache /home/*/domains/thescript/settings
chmod 775 /home/*/domains/thescript/settings

Or:

Make a script or better yet a simple C program that does that exact job, taking as little input
from the user as possible, and make it setuid (4755). setuid is very powerful, but that means
it has to be done right to avoid great risk, so be careful. Some systems won't even let you
setuid a shell script because it's so hard to make one secure, so the common practice is to
do all setuid scripts in C using a prior setuid program as a temple. /usr/bin/passwd is common,
and well written, setuid program.

KillerK · 04-30-2010, 11:18 AM

why do you want to haxzor a virtual host?

CYF · 04-30-2010, 04:19 PM

Quote:

Originally Posted by camperjohn64

I am the host. :-(

You might want to switch to managed hosting

04-29-2010, 04:11 PM	#1
camperjohn64 Confirmed User Industry Role: Join Date: Feb 2005 Location: Los Angeles Posts: 1,531	Temporarily running PHP as root I want to run some PHP scripts to do some server setup and package install, but want to do it through a browser rather than through SSH. Does anyone know how to temporarily run PHP as root? - I tried running apache as root while I run the scripts, but it won't let me. - I tried sudo from PHP, but it won't let me either. Other ideas? If I can't figure it out then I just have to SSH and do a php myscript.php --param1=foo -param2=bar, but I would prefer to do it thought a browser if possible. __________________ www.gimmiegirlproductions.com

04-29-2010, 04:17 PM	#2
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	don't run php/apache as root __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

04-29-2010, 04:23 PM	#4
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,359	use ssh to run php from cmd line, dont run as root bad idea. like evryone else says __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

04-29-2010, 04:27 PM	#5
ProG Confirmed User Join Date: Apr 2009 Posts: 1,319	What does the script do? I'm positive there is an alternative to using root. If you are really inclined to do so, just add the script path into your sudoers file and that will allow you to sudo when calling that script. Then you can create another PHP script to run via HTTP that uses something like exec('sudo php /script.php') __________________ History will be kind to me for I intend to write it. Last edited by ProG; 04-29-2010 at 04:28 PM..

04-29-2010, 04:33 PM	#6
mikke Confirmed User Industry Role: Join Date: Jan 2010 Location: Europe Posts: 1,327	dont run apache as root.. Code: #!/usr/bin/php -q <?php echo "hello world"; ?> save it, chown root:root, ./script.php __________________ icq: 395 294 346 http://www.adultsubmitter.eu - submit any adult site to 20 directories from 1 form! now 20 domains! http://www.porndeals.eu http://www.ebonybangbros.com

04-29-2010, 04:21 PM	#3
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	bad idea.

04-29-2010, 04:51 PM	#10
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	Set apache to be in the right group as the files / folders or at worst, mod the folders to chmod 777 Don't run php as root __________________ PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

04-29-2010, 05:04 PM	#11
camperjohn64 Confirmed User Industry Role: Join Date: Feb 2005 Location: Los Angeles Posts: 1,531	Maybe I should define the problem better: Website A, has a settings file. I want to create a duplicate settings file, in another folder that User A can modify. That is all I need to do. This settings file will be used by the website to know what database, what template to use, stuff like that, basic DEFINE's for the website. The website I am using to set the settings file may or may not be the one that uses the settings file. - Apache is running as nobody. - I want to use an interface to set up this new site - Since Apache is nobody, I cannot create a new folder without logging into SSH as root manually and chmod'ing the base directory. - Even when I do that, the settings file is created as nobody, and User A cannot modify it once it is created, since it is not usera:usera, it is nobody:nobody - Therefore, I need to login to SSH, make the folder, touch the file, then chown the folder AND file...only then User A can modify the file. I need to do this for every settings file, and every new variation of the website I make. WTF?! I don't care if Apache runs as root. For the 23 minutes it takes to set up the sites, a hacker is most welcome to come and do his worst. He has a 23 minute window - enjoy. I have to login as root anyway - so either I sudo with the root password or I SSH with the root password - it's not like it's insecure either way I need to know the root pass to accomplish the task. __________________ www.gimmiegirlproductions.com Last edited by camperjohn64; 04-29-2010 at 05:05 PM..

04-29-2010, 05:27 PM	#15
GrouchyAdmin Now choke yourself! Industry Role: Join Date: Apr 2006 Posts: 12,085	This thread makes my head hurt. __________________ AIM: GrouchyGfy

04-29-2010, 05:31 PM	#16
Wifey's World A.M. Registered User Join Date: Apr 2010 Posts: 20	You can have Apache upload and create files and directories as a certain user or group. So if you are SSH'ing in as a regular user, have Apache create the files or directories as that user. Or have Apache create those files or directories as a certain group. Then just make sure your SSH user is in that group. __________________

04-29-2010, 05:47 PM	#18
jackknoff Confirmed User Join Date: Feb 2010 Posts: 545	I think that's sorta a bad idea, I would never run it as root Spanx! Jack

04-30-2010, 04:47 AM	#20
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	I think your problem is that your FTP login and apache are not in the same wheel group... I have seen this problem with some hosts... ask your host to do that for you and it will fix your problem.

04-30-2010, 09:30 AM	#23
camperjohn64 Confirmed User Industry Role: Join Date: Feb 2005 Location: Los Angeles Posts: 1,531	cPanel and Webmin and others run as root. So this can't be that tough, or that insecure. Can I tie a specific port like to 123.45.67.89:5000 to my php script and have it run as root there? __________________ www.gimmiegirlproductions.com

04-30-2010, 11:18 AM	#27
KillerK Confirmed User Join Date: May 2008 Posts: 3,406	why do you want to haxzor a virtual host?