I have a line in sudoers which gives Apache sudo access to run *a single script* in a specific location, outside the htdocs tree:
apache ALL=(ALL) NOPASSWD: /usr/bin/php -f /path/sudo_app.php
Thus the apache user can run this single command.
Because I can't seem to pass command-line arguments ($argv) to this sudo_app, I write a tiny tmp file. In htdocs, I have a small php script: 'app.php':
<?php file_put_contents('/tmp/vars.txt',"$_GET[a]\n$_GET[b]"); `sudo /usr/bin/php -f /path/sudo_app.php` ?>
($_GET[a] represents an argument passed through the URL like this: http://localhost/app.php?a=1&b=2)
Inside sudo_app.php, I open /tmp/vars.txt, read the two variables, and pass them with full root access to the rest of the script, which accesses /dev/ttyS0. Then the script deletes the /tmp files.
It works, but it seems more complicated than it should be, involving two scripts, a tmp file, and a line in /etc/sudoers, in order to run a single command.
Does anyone have another idea for giving an apache module the ability to have root access to /dev/ttyS0, without compromising the box?
-Jared
On Tue, Mar 20, 2007 at 12:49:39PM -0600, Jared wrote:
I have a line in sudoers which gives Apache sudo access to run *a single script* in a specific location, outside the htdocs tree:
apache ALL=(ALL) NOPASSWD: /usr/bin/php -f /path/sudo_app.php
Thus the apache user can run this single command.
Because I can't seem to pass command-line arguments ($argv) to this sudo_app, I write a tiny tmp file. In htdocs, I have a small php script: 'app.php':
<?php file_put_contents('/tmp/vars.txt',"$_GET[a]\n$_GET[b]"); `sudo /usr/bin/php -f /path/sudo_app.php` ?>
($_GET[a] represents an argument passed through the URL like this: http://localhost/app.php?a=1&b=2)
Inside sudo_app.php, I open /tmp/vars.txt, read the two variables, and pass them with full root access to the rest of the script, which accesses /dev/ttyS0. Then the script deletes the /tmp files.
It works, but it seems more complicated than it should be, involving two scripts, a tmp file, and a line in /etc/sudoers, in order to run a single command.
Does anyone have another idea for giving an apache module the ability to have root access to /dev/ttyS0, without compromising the box?
-Jared
Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
Have you looked at apache suEXEC support? More info at:
http://httpd.apache.org/docs/1.3/suexec.html
Not sure if this is what you want, but using /etc/sudoers strikes me as odd. :)
On Tuesday 20 March 2007 13:12, Kyle Sexton wrote:
Have you looked at apache suEXEC support? More info at:
suEXEC has the same problems as suid. In particular, all the code runs with elevated privileges, not just the few bits that need it.
Not sure if this is what you want, but using /etc/sudoers strikes me as odd. :)
sudo is (AFAIK) the only way to allow only a single command.
I wrote a sudo PHP library myself that uses HTTP authentication to execute specific commands, that I intend to develop into a nice general web interface someday.
Note that changing ownership/permissions on ttyS0 itself will allow Apache to do anything it wants with it. This is unsuitable if you only want to allow a single operation (eg, if it's a serial console).
-
Bradley Hook -
Jared -
Kyle Sexton -
Luke -Jr