Home > Archive > PHP Programming > February 2008 > how to get a script to run as root
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
how to get a script to run as root
|
|
| lawrence k 2008-02-26, 7:06 pm |
|
I'm writing a script that will find every newly updated file in /var/
www/vhosts/cyber.com/httpdocs/
and then cp the the files over to /var/www/vhosts/theroad.com/
httpdocs/
I used to do this by ssh to the server and typing in the copy command
manually. But my client would like to be able to control the timing
of these updates, so I'm trying to make it an easy-to-run script.
Only thing is, when I've done this copy in the past, I've always been
root, as no other user has the permission to copy from the one
directory to the other. So I need the script to run as root. Can I use
exec() to use su to become root? Anyone have a working example of
that?
| |
| Jerry Stuckle 2008-02-26, 7:06 pm |
| lawrence k wrote:
> I'm writing a script that will find every newly updated file in /var/
> www/vhosts/cyber.com/httpdocs/
>
> and then cp the the files over to /var/www/vhosts/theroad.com/
> httpdocs/
>
> I used to do this by ssh to the server and typing in the copy command
> manually. But my client would like to be able to control the timing
> of these updates, so I'm trying to make it an easy-to-run script.
>
> Only thing is, when I've done this copy in the past, I've always been
> root, as no other user has the permission to copy from the one
> directory to the other. So I need the script to run as root. Can I use
> exec() to use su to become root? Anyone have a working example of
> that?
>
>
>
>
>
>
>
>
>
Much better to set the proper permissions on the file system. Giving a
script root access is a huge security hole. Unless you are VERY
CAREFUL, some hacker could wipe out your entire server with one command.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Toby A Inkster 2008-02-26, 7:06 pm |
| lawrence k wrote:
> Only thing is, when I've done this copy in the past, I've always been
> root, as no other user has the permission to copy from the one directory
> to the other. So I need the script to run as root. Can I use exec() to
> use su to become root? Anyone have a working example of that?
Google: sudo
--
Toby A Inkster BSc (Hons) ARCS
[G of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 28 days, 5 min.]
Bottled Water
http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/
| |
| C. (http://symcbean.blogspot.com/) 2008-02-26, 7:06 pm |
| On 26 Feb, 17:16, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> lawrence k wrote:
>
>
<snip>
>
> Much better to set the proper permissions on the file system. Giving a
> script root access is a huge security hole. Unless you are VERY
> CAREFUL, some hacker could wipe out your entire server with one command.
>
Agreed - if you can't do it as a normal user then you've got your
permissions model in the first place. Fix it.
Also - WTF are you using PHP to do this? Rsync does it without writing
any code?
C.
| |
| Jeremy 2008-02-26, 7:06 pm |
| lawrence k wrote:
> I'm writing a script that will find every newly updated file in /var/
> www/vhosts/cyber.com/httpdocs/
>
> and then cp the the files over to /var/www/vhosts/theroad.com/
> httpdocs/
>
> I used to do this by ssh to the server and typing in the copy command
> manually. But my client would like to be able to control the timing
> of these updates, so I'm trying to make it an easy-to-run script.
>
> Only thing is, when I've done this copy in the past, I've always been
> root, as no other user has the permission to copy from the one
> directory to the other. So I need the script to run as root. Can I use
> exec() to use su to become root? Anyone have a working example of
> that?
>
>
>
rsync -auv /var/www/vhosts/cyber.com/httpdocs/*
/var/www/vhosts/theroad.com/httpdocs/
Either:
1) Give write access to the user that's doing the update. Add them to
the group and allow group write on those files. Or,
2) Allow the user to run rsync as a user that does have these privileges
(but not root, unless you're sick of having clients). man sudo, man sudoers
Also, stop being root all the time or you're going to get hosed, sooner
or later. Pretty much any time you find yourself thinking "I need the
script to run as root", you're doing it wrong.
Jeremy
| |
| The Natural Philosopher 2008-02-26, 7:06 pm |
| lawrence k wrote:
> I'm writing a script that will find every newly updated file in /var/
> www/vhosts/cyber.com/httpdocs/
>
> and then cp the the files over to /var/www/vhosts/theroad.com/
> httpdocs/
>
> I used to do this by ssh to the server and typing in the copy command
> manually. But my client would like to be able to control the timing
> of these updates, so I'm trying to make it an easy-to-run script.
>
> Only thing is, when I've done this copy in the past, I've always been
> root, as no other user has the permission to copy from the one
> directory to the other. So I need the script to run as root. Can I use
> exec() to use su to become root? Anyone have a working example of
> that?
>
>
>
>
Its been a long time since I did stuff like this..I am going to suggest
a completely different approach.
write a teeny C program that does exactly what you want and no more, and
invoke setuid() within it. I,e,. do NOT wrote a setuid version of
cp...write a setuid program that ONLY works from a specific directory to
another specific directory etc etc.
Then if it has root permissions and IIR the sticky bit set it can be
called by any user process to do its 'one and only dangerous root
permissions' job.
You can do the same with a script, but they are a lot easier to
alter..maliciously.
I prefer the 'Can't touch me. I'm written in C' sort of program..
The MOST dangerous script is the setuid script that someone has left
world writeable after a hasty edit..
However, in your case I would be somewhat tempted to make the target
directory at lest WRITEABLE by whatever process your PHP runs under, if
not readable..a simple matter of seyting up groups and permissions..and
then giving te user a web page generated via PHP to do the whole shebang
from.
>
>
>
>
| |
| Toby A Inkster 2008-02-27, 4:35 am |
| The Natural Philosopher wrote:
> write a teeny C program that does exactly what you want and no more, and
> invoke setuid() within it.
>
> You can do the same with a script, but they are a lot easier to
> alter..maliciously.
Actually, no you can't. SetUID only works on binaries -- not scripts. Some
kind of security feature.
--
Toby A Inkster BSc (Hons) ARCS
[G of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 28 days, 15:27.]
Bottled Water
http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/
| |
| Jerry Stuckle 2008-02-27, 8:06 am |
| Toby A Inkster wrote:
> The Natural Philosopher wrote:
>
>
> Actually, no you can't. SetUID only works on binaries -- not scripts. Some
> kind of security feature.
>
Actually, you can change it with posix_setuid(). But the PHP executable
must have the setuid bit set, which then means any script can change to
root (and do anything it wants). Definitely not good.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
|
|
|
|
|