0

I have created several websites. Now I need to perform root tasks. I created a webplatform and installed. root owns all scripts in /var/private-www/ and they are chmodded (0777). In /var/private-www/test.php stands: <?php echo exec('whoami'); ?>. My suPHP config is this:

 [global]
;Path to logfile
logfile=/var/log/suphp/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=root

;Path all scripts have to be in
docroot=/var/private-www

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=0

; Minimum GID
min_gid=0


[handlers]
;Handler for php-scripts
application/x-httpd-suphp="php:/usr/bin/php-cgi"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

When I execute test.php in my webbrowser, it says: www-data :(. Not root... Even when I execute it in the command line. Besides, I did a2enmod suphp and apachectl restart, so I was thinking it would work. How can I fix this?

Improve this question
4
  • I assume you know how incredibly dangerous it is to run any web-accessible application as root, and how many times you're about to hear this? Commented Apr 13, 2011 at 21:11
  • Yes, but how is it possible to do stuff like adduser on a webplatform? :( Commented Apr 13, 2011 at 21:13
  • a daemon and a work queue and/or a cron job can easily perform those tasks. Commented Apr 13, 2011 at 21:15
  • 1
    777 allows anyone to modify those scripts. You then run them as root from the webserver. Hello total takeover of your server. Commented Apr 13, 2011 at 21:15

4 Answers 4

Reset to default
1

Take a look at these known web app attacks: OWASP. Running as root and 0777 permissions are both things you should try to avoid.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Short answer: Don't do this.

Any tasks that needs to be run a root, should be done via a cron job.

Why are you trying to it this way, anyway?

Improve this answer

Comments

1

I'm gonna regret saying this, and I don't want to be an enabler, but:

You're probably going to need to recompile. The minimum UID and GID aren't (just) configurable items, there are minimum checks made at compile time as well. There's also no guarantee that there aren't hard-coded checks against running as root.

You really should consider an alternative method of performing your desired tasks that does not involve exposing a web application running as root. A regularly running cron job that checks for uncompleted tasks or a work queue service can easily accomplish these goals. The web-exposed front-end then does not need to run as root.

Improve this answer

Comments

0

This is not the answer you are looking for, but you should consider this a bit:

Although there are cases where you would like to do so, running all your php scripts as root in general is bad practice and you may face a number of obstacles.

One easy way to avoid this is to use sudo. Add your commands to sudoers for www-data and let your scripts execute an external command with sudo.

Even external php scripts can be ran as root via sudo. This way you will achieve privilege separation.

Otherwise you will have to run apache+modphp as root or hack the code of suphp.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.