3

I'm trying to run a shell script owned by a non-privileged user from PHP on an Ubuntu server. Issues with permissions make running it with exec() impractical, as it's www-data that's running it. I've googled a bit and found varius references to suExec (which seems too much of a hassle to get working for such a small problem), setting the suid bit, and an interesting approach here on Stackoverflow involving a Python server listening for commands sent by PHP.

Anyway, of all of these solutions, I lean towards the one involving setting the suid bit, tried it and it didn't work : chmod u+s script.sh, and my Apache logs still show permission errors, so I know the script is not running as it's owner but as www-data.

What do I have to do to get this working, and is there a simpler solution for this problem ?

Improve this question
3
  • 2
    No. Your user (www-data) needs execution rights to run the script. What is the root problem that makes you want to use a shell script, maybe that has a useful answer. Commented Jun 30, 2010 at 12:57
  • Basically I'm trying to create an in-house version of php.opensourcecms.com (Demos of open-source CMSs that are automatically reset at some time inverval). I've already got cron running as the non-privileged user running the script every 2 hours, but I'd like to add functionnality to execute it on demand. I could run it as www-data, but that means I also have it to run from www-data's cron, since the replaced files are owned by www-data. Anyway, I'd like to avoid having www-data owning all the files for security reasons. Commented Jun 30, 2010 at 13:23
  • Deletes the CMS's directory, untar backup, delete / create / import database backup, and that's about it... Commented Jun 30, 2010 at 20:46

1 Answer 1

Reset to default
4

Take a look at the man page for sudo: sudo -u your_other_user will let you execute the command as the other user.

Also use man sudoers to look for options on which user can execute what commands with sudo.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Looking into your solution but so far no luck in getting it to work. I've tried enabling password-less sudo for the specific command that's supposed to run in the sudoers file : www-data ALL=(ALL) NOPASSWD: /user/bin/sudo -u user /path/to/command But if I su www-data and try to run it still asks for a password. Same with /user/bin/sudo -u user
sudo: the -U option may only be used with the -l option
Note that it's smallcase -u not -U (see sudo --help)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.