Apache 2.2 – How to Run a Script as Root

apache-2.2incrondrootservicesudo

I would like to update my hosts file and restart dnsmasq from a web interface (php/apache2). I tried playing around with suid bits (the demonstaration). I have both apache and dnsmasq running on an EC2 instance.

I understand that Linux ignores the setuid bit on text scripts, but works on binary files. (Have I got something wrong?). I added exec("whoami"); to the example C program in Wikipedia. Although the effective UID of the C program is 0, whoami does not return root 🙁

I would thoroughly like to avoid

echo password | sudo service dnsmasq restart

or adding apache to the sudoers without password! Is there a way out? How does webmin do such things?

Best Answer

I would take another approach and configure either an incron script which runs as as root, which monitors some file for changes and responds by applying your changes to the /etc/hosts file.

With the incron approach, you set an inotify entry to watch some file for changes, and respond by running a script;

/var/www/hosts IN_CLOSE_WRITE /run/this/as/root

So apache has permissions to write to /var/www/hosts using php or whatever and the /run/this/as/root script runs as root to apply the changes to the /etc/hosts file

Related Solutions

Ubuntu: let a user run a script with root permissions

If this was a normal binary, you could setuid by running

# chmod u+s /path/to/binary

Unfortunately, scripts can't be setuid. (Well you can, but it's ignored). The reason for this is that the first line of the script tells the OS what interpreter to run the script under. For example if you had a script with:

#!/bin/bash

You'd actually end up running

/bin/bash /path/to/script

Obviously, you'd need the interpreter to be setuid, which would then mean all scripts would be setuid. This would be bad.

You can do this with sudo by putting the following in your /etc/sudoers file by running visudo.

ALL ALL=NOPASSWD: /path/to/script

And now any user can run

$ sudo /path/to/script

This allows them to run the script without typing in their password.

There is an alternative that doesn't require sudo in the command, which requires creating a small setuided binary that execs your script, but every additional setuid binary adds another potential security problem.

Php – Why won’t an alarm handler fire in a process run from a php process

Mod_php probably blocks this (using sigprocmask() I presume, masks are maintained through fork() and execve()) in order to prevent signals from mangling Apache (since mod_php runs PHP in apache's process).

If it's due to sigprocmask(), then I think you should be able to use perl's POSIX module to undo it in the exec()'d script, but I'm not exactly sure how it works. The Perl Cookbook has an example of blocking then unblocking SIGINT. I think it should be something like

use POSIX qw(:signal_h);
$sigset=POSIX::SigSet->new(SIGALRM);
sigprocmask(SIG_UNBLOCK,$sigset);

If that doesn't work, then maybe try installing php5-cgi, setting it up as a Handler in Apache for a different extension (say, .phpc) then renaming the script to ping.phpc and updating the links. Since CGI executes in its own process, the CGI version of PHP may not lock down the signals.

Best Answer

Related Solutions

Ubuntu: let a user run a script with root permissions

Php – Why won’t an alarm handler fire in a process run from a php process

Related Topic