What I really want to do is allow the 'www-data' user to have the ability to launch php-cgi as another user. I just want to make sure that I fully understand the security implications.
The server should support a shared hosting environment where various (possibly untrusted) users have chroot'ed FTP access to the server to store their HTML and PHP files. Then, since PHP scripts can be malicious and read/write others' files, I'd like to ensure that each users' PHP scripts run with the same user permissions for that user (instead of running as www-data).
Long story short, I have added the following line to my /etc/sudoers file, and I wanted to run it past the community as a sanity check:
www-data ALL = (%www-data) NOPASSWD: /usr/bin/php-cgi
This line should only allow www-data to run a command like this (without a password prompt):
sudo -u some_user /usr/bin/php-cgi
…where some_user is a user in the group www-data. What are the security implications of this?
This should then allow me to modify my Lighttpd configuration like this:
fastcgi.server += ( ".php" =>
((
"bin-path" => "sudo -u some_user /usr/bin/php-cgi",
"socket" => "/tmp/php.socket",
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
),
"broken-scriptfilename" => "enable"
))
)
…allowing me to spawn new FastCGI server instances for each user.
Best Answer
I recommend using php-fpm instead (managing all users with one server, but usually not secure if you are using an opcode cache), or spawning the backends with runit and spawn-fcgi.
Then remove the spawn options from the lighttpd config (bin-path, max-procs, bin*-environment)