Using sudo from a PHP Script

Sat Apr 19 16:20:44 EDT 2003

On Sat, 19 Apr 2003, Ryan wrote:

> I'm new to using sudo and I had a question about its
> capabilities/features. I'd like to run some administrative scripts that
> I've created from a PHP script running on my web server. Unfortunately,
> these scripts need to run as root to do a few various things. sudo was
> recommended to be as the best way to switch users to run a program. To
> make things easier on the programming side of things (and for better
> security), is there a way to force sudo to ask for the password every time
> (i.e. disable the timestamps)? Also, is there a way to get sudo to accept
> the password on a given file descriptor so it doesn't mess up data I may
> be passing on STDIN (sort of like GnuPG)?
> 
> If I can get all this to work, what would be the best way to sudo to root
> without using the password for the user running the web server or for the
> root user? I'd like to maybe put some kind of arbitrary password on these
> scripts so that if someone does steal this "admin" password, they won't
> have my root password.
> 
> Any suggestions would be very much appreciated. Thanks in advance!
> 
> Ryan
> ryan at vbnet.net

Think carefully about the route you have chosen.

If the web server user _has_ the password to give to sudo, it must be stored
somewhere.  In which case, anyone with access to the web server user has
access to the password.

Many tasks which seem to require root can be redesigned so that root
privileges are not required.  Investigate all your options, because opening
a "hole" like this demands a lot of safeguards if you want to prevent
unauthorized users from increasing their privileges.

If you are certain you need to run something as root, here are some things
to keep in mind:

1) anyone abusing this will find a password stored in a script.  I recommend
not pretending that giving the password to sudo from a script is any better
than having sudo not require a password, and save yourself the programming
time.  This will help you to operate from the mindset of "oh, _anyone_ running
as the web user has sudo access" since that's essentially true.

2) only give sudo access to wrapper scripts of your own design.  Specifically,
have them check every argument exhaustively.  I recommend using perl or
python or some language other than a shell, to avoid the difficult quoting
issues that shell scripts can sometimes have, and which are hard to debug.
C can be a great option, if you're careful to avoid buffer overruns and
all the other common pitfalls in writing secure code.

3) make sure your scripts examine the environment.  If they're being run
by the web user, but the web server's environment variables aren't set,
then something fishy is going on, right?

4) if the sudo command is in a php script at /a/path/to/a/file.php and
the script it runs checks its current working directory and it's /tmp
or anything other than the expected value, something fishy is going on,
right?

5) look for arguments that are fishy.  anything with embedded shell escape
characters is a sign someone's poking for holes... however, be careful
taking action as a result.  reporting such a probe is fine, but be aware
of the possibility of thousands of probes hitting in a short period of
time (i.e. don't send a long email to a mailbox with a small quota), and
if you take drastic actions like adding the originating IP to a ban list,
consider if this can be used against an innocent person...

6) good luck!

--plambert