I have a line in sudoers which gives Apache sudo access to run *a single script* in a specific location, outside the htdocs tree:
apache ALL=(ALL) NOPASSWD: /usr/bin/php -f /path/sudo_app.php
Thus the apache user can run this single command.
Because I can't seem to pass command-line arguments ($argv) to this sudo_app, I write a tiny tmp file. In htdocs, I have a small php script: 'app.php':
<?php file_put_contents('/tmp/vars.txt',"$_GET[a]\n$_GET[b]"); `sudo /usr/bin/php -f /path/sudo_app.php` ?>
($_GET[a] represents an argument passed through the URL like this: http://localhost/app.php?a=1&b=2)
Inside sudo_app.php, I open /tmp/vars.txt, read the two variables, and pass them with full root access to the rest of the script, which accesses /dev/ttyS0. Then the script deletes the /tmp files.
It works, but it seems more complicated than it should be, involving two scripts, a tmp file, and a line in /etc/sudoers, in order to run a single command.
Does anyone have another idea for giving an apache module the ability to have root access to /dev/ttyS0, without compromising the box?
-Jared