1

I'm looking for some advice..

I've managed to get a php script to call another page which in turn runs system commands as root.

This is what I've done, I'd like to see if I can secure it.

In etc/sudoers.d I've added a file which contains a list of files the wwwrun user can run as root without needing a password. It contain entries similar to :

wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/filea
wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/fileb
wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/filec

My main web site has an test.php page, permissions on this are 777 & wwwrun:root

Within test.php I have some jquery, which is using ajax to call action.php&action=aaa

In action.php I have :

if ($_REQUEST['action']) == 'aaa') {
  exec('/Web/scripts/helper/filea', $res);
}

if ($_REQUEST['action']) == 'bbb') {
  exec('/Web/scripts/helper/fileb', $res);
}

if ($_REQUEST['action']) == 'bbb') {
  exec('/Web/scripts/helper/filec', $res);
}

filea contains a couple of bash commands. This file has 655 & root:root permissions.

The commands in filea, fileb and filec are fixed and if a variable is passed it's only to tell it to run another fixed command with in the file.

How can I make this more secure ? Obviously not having root access would be best, but I need to run some commands for moving, editing, updating, installing files etc.

UPDATE

Just to confirm this is working. I'd like to make it a little more secure.

I have tried changing the ownership to wwwrun:root and permissions to 744

This has made it so only root can edit the files, I assume that is a good idea..

Thanks

Improve this question
0

2 Answers 2

Reset to default
2

A few suggestions on securing the application, sorted by impact:

  1. Try to re-design the system so that the root privileges are not required. You pointed out this one, if you can provide more details on the application functionality we could explore it. This is probably the best investment of your time to secure the application.

  2. Protect the scripts against modification by non-root users. If wwwroot can modify the script contents they can run any command as root:

    • Ensure that the files are owned by root and a group that wwwdata belongs to and that no-one but root can modify them. You may restrict wwwrun permissions to execute-only and do away with the other permissions, otherwise an attacker can just overwrite the file content and execute arbitrary commands:

      wwwrun$ cp evil /Web/scripts/helper/filea && sudo /Web/scripts/helper/filea

    • Ensure that all paths up to and including the script are owned by root and that only root can modify them. Otherwise an attacker could just move directories around to execute arbitrary commands:

      wwwrun$ rm -rf /Web/script && mkdir -p /Web/script/helper

      wwwrun$ cp evil /Web/scripts/helper/filea && sudo /Web/scripts/helper/filea

    • Do that for all the commands you run from within your scripts

  3. Make sure that all referenced commands and files use absolute paths

  4. Review the security of the scripts you are executing: they run as root, if they are not designed to run as root (temporary files, insecure dependencies, etc.) an attacker will exploit them

  5. Modify the sudoers file to ensure commands can't be run with arguments, by using the "" syntax, e.g.:

    wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/filea ""

  6. Check for race conditions - e.g. an attacker can concurrently execute more than one command at the same time, check if this concurrency can introduce vulnerabilities. If needed ensure scripts do not run concurrently by using a locking mechanism

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try to giving root privileges to www-data too! It is required to has the www-data the right to read. You can also try to change the files owner and group to www-data.

Improve this answer

3 Comments

If I give www-data root privileges, does that not allow any script run to have root privileges ?
I see your problem. So set the folder's owner recursively to www-data and leave the www-data at it's own group where it was before.
Sorry - this IS working as I wrote above. I'm now trying to make it more secure.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.