Bash – Linux bash: run script as a non-root user by a non-root user using PHP

bashpermissionsphp-fpm

I have a PHP script owned by "tom" (runs using PHP-FPM). "tom" wants to run the script /srv/helloworld.sh as another user called "jerry". "tom" has the access to run scripts on the server (so he can use ex. system()).

The long and the short, "tom" wants to know how to do this.
"tom" readed some article about this:

sudo su -c /srv/helloworld.sh jerry

But the main problem is that, the script asks for a password and you know, (if I am not mistaken) there is no way to enter password in a web interface.

I am really curious about this topic and I would be pleased if you could help me. Thanks in advance!

Best Answer

man sudoers has all the information you need.

You need the command sudo -u jerry /srv/helloworld.sh and have to change /etc/sudoers so that tom is allowed to execute this without having to enter a passwort. NOPASSWD is your key word.

Related Solutions

Linux – How to run a command multiple times, using bash shell

I don't think a command or shell builtin for this exists, as it's a trivial subset of what the Bourne shell for loop is designed for and implementing a command like this yourself is therefore quite simple.

Per JimB's suggestion, use the Bash builtin for generating sequences:

for i in {1..10}; do command; done

For very old versions of bash, you can use the seq command:

for i in `seq 10`; do command; done

This iterates ten times executing command each time - it can be a pipe or a series of commands separated by ; or &&. You can use the $i variable to know which iteration you're in.

If you consider this one-liner a script and so for some unspecified (but perhaps valid) reason undesireable you can implement it as a command, perhaps something like this on your .bashrc (untested):

#function run
run() {
    number=$1
    shift
    for i in `seq $number`; do
      $@
    done
}

Usage:

run 10 command

Example:

run 5 echo 'Hello World!'

Php – Safest way to run bash script using PHP-FPM

On the specific topic of using exec in php and how to be safe, The only thing you need to take care of is to escape arguments.

i.e. don't do this:

exec('myscript ' . $_POST['arg']);

if it's not obvious - just think about what happens if $_POST['arg'] contains ; rm xyz - or worse, if you are sending the output of that command to the screen and it contains ; more /etc/passwd; more db-config.php etc.

therefore - escape your arguments:

$foo = escapeshellarg($whatever);
exec("myscript $foo");

However, if your bash script requires more privileges than you would ordinarily permit your nginx user to have - You are better of heeding the advice you have found which disassociates the user running your bash script from the nginx user.

Similar to your php daemon suggestion in the question, the php app sends a request for the bash script to run, synchronously or asynchronously, using a job queue system. The job queue just sends the request to your bash script, optionally returning the result. In this way you can start the "create new user" bash script as a user with appropriate permissions, without giving your nginx user any extra privileges and risking these permissions being exploited somewhere else if your php application code. Gearman in particular, is very easy to setup.

Best Answer

Related Solutions

Linux – How to run a command multiple times, using bash shell

Php – Safest way to run bash script using PHP-FPM

Related Topic