使用sudo通过PHP执行shell命令

时间:2021-12-25 01:15:27

So far my search has shown the potential security holes that will be made while trying to perform a sudo'd command from within PHP.

到目前为止,我的搜索已经显示了在尝试从PHP中执行sudo'd命令时将会发生的潜在安全漏洞。

My current problem is that I need to run a bash script as sudo on my work web server via PHP's exec() function. We currently host a little less than 200 websites. The website that will be doing this is restricted to only be accessible from my office's IP address. Will this remove any potential security issues that come with any of the available solutions?

我目前的问题是我需要通过PHP的exec()函数在我的工作Web服务器上运行一个bash脚本作为sudo。我们目前拥有不到200个网站。将要执行此操作的网站仅限于可从我办公室的IP地址访问。这会消除任何可用解决方案带来的任何潜在安全问题吗?

One of the ways is to add the apache user to the sudoers file, I assume this will apply to the entire server so will still pose an issue on all other websites.

其中一种方法是将apache用户添加到sudoers文件中,我认为这将适用于整个服务器,因此仍会在所有其他网站上造成问题。

Is there any solution that will not pose a security threat when used on a website that has access restricted to our office?

是否有任何解决方案在访问仅限于我们办公室的网站上使用时不会构成安全威胁?

Thanks in advance.

提前致谢。

Edit: A brief background

编辑:简要背景

Here's a brief description of exactly what I'm trying to achieve. The company I work for develops websites for tourism related businesses, amongst other things. At the moment when creating a new website I would need to setup a hosting package which includes: creating the directory structure for the new site, creating an apache config file which is included into httpd.conf, adding a new FTP user, creating a new database for use with the website CMS to name a few.

这里简要介绍了我正在努力实现的目标。我工作的公司为旅游相关业务开发网站等。在创建新网站的那一刻,我需要设置一个托管包,其中包括:为新网站创建目录结构,创建一个包含在httpd.conf中的apache配置文件,添加一个新的FTP用户,创建一个新的用于CMS网站的数据库仅举几例。

At the moment I have a bash script on the server which creates the directory structure, adds user, creates apache config file and gracefully restarts apache. That's just one part, what I'm looking to do is use this shell script in a PHP script to automate the entire website generation process in an easy to use way, for other colleagues and just general efficiency.

目前我在服务器上有一个bash脚本,用于创建目录结构,添加用户,创建apache配置文件并优雅地重新启动apache。这只是其中的一部分,我想要做的是在PHP脚本中使用这个shell脚本以一种易于使用的方式自动化整个网站生成过程,对于其他同事和一般效率。

1 个解决方案

#1


1  

You have at least 4 options:

您至少有4个选项:

  1. Add the apache user to the sudoers file (and restrict it to run the one command!)
    • In this case some security hole in your php-apps may run the script too (if they can include the calling php for example - or even bypass the restriction to your ip by using another url that also calls the script, mod_rewrite)
    • 在这种情况下,你的php-apps中的一些安全漏洞也可以运行脚本(例如,如果它们可以包括调用php - 或者甚至通过使用另一个也调用脚本的url绕过对你的ip的限制,mod_rewrite)

  2. 将apache用户添加到sudoers文件中(并限制它运行一个命令!)在这种情况下,php-apps中的一些安全漏洞也可以运行脚本(例如,如果它们可以包含调用php,或者甚至绕过通过使用另一个也调用脚本的url来限制你的ip,mod_rewrite)

  3. Flag the script with the s bit
    • Dangerous, don't do it.
    • 危险,不要这样做。

  4. 用s bit Dangerous标记脚本,不要这样做。

  5. Run another web server that only binds to a local interface and is not accessible from outside
    • This is my prefered solution, since the link calling the php is accessible by links from your main webserver and the security can be handled seperately. You can even create a new user for this server. Some simple server does the job, there are server modules for python and perl for example. It is not even necessary, that you enable exec in your php installation at all!
    • 这是我首选的解决方案,因为调用php的链接可以通过主Web服务器的链接访问,安全性可以单独处理。您甚至可以为此服务器创建新用户。一些简单的服务器完成这项工作,例如有python和perl的服务器模块。甚至没有必要在php安装中启用exec!

  6. 运行另一个仅绑定到本地接口且无法从外部访问的Web服务器这是我首选的解决方案,因为调用php的链接可以通过主Web服务器的链接访问,并且可以单独处理安全性。您甚至可以为此服务器创建新用户。一些简单的服务器完成这项工作,例如有python和perl的服务器模块。甚至没有必要在php安装中启用exec!

  7. Run a daemon (inotify for example, to watch file events) or cronjob that reads some file or db-entry and then runs the command
    • This may be too complex and has the disadvantage, that the daemon can not check which script has generated the entry.
    • 这可能过于复杂并且具有缺点,即守护程序无法检查哪个脚本生成了该条目。

  8. 运行一个守护进程(例如,inotify,以监视文件事件)或cronjob读取某些文件或db-entry然后运行命令这可能太复杂并且有缺点,守护进程无法检查哪个脚本生成了该条目。

#1


1  

You have at least 4 options:

您至少有4个选项:

  1. Add the apache user to the sudoers file (and restrict it to run the one command!)
    • In this case some security hole in your php-apps may run the script too (if they can include the calling php for example - or even bypass the restriction to your ip by using another url that also calls the script, mod_rewrite)
    • 在这种情况下,你的php-apps中的一些安全漏洞也可以运行脚本(例如,如果它们可以包括调用php - 或者甚至通过使用另一个也调用脚本的url绕过对你的ip的限制,mod_rewrite)

  2. 将apache用户添加到sudoers文件中(并限制它运行一个命令!)在这种情况下,php-apps中的一些安全漏洞也可以运行脚本(例如,如果它们可以包含调用php,或者甚至绕过通过使用另一个也调用脚本的url来限制你的ip,mod_rewrite)

  3. Flag the script with the s bit
    • Dangerous, don't do it.
    • 危险,不要这样做。

  4. 用s bit Dangerous标记脚本,不要这样做。

  5. Run another web server that only binds to a local interface and is not accessible from outside
    • This is my prefered solution, since the link calling the php is accessible by links from your main webserver and the security can be handled seperately. You can even create a new user for this server. Some simple server does the job, there are server modules for python and perl for example. It is not even necessary, that you enable exec in your php installation at all!
    • 这是我首选的解决方案,因为调用php的链接可以通过主Web服务器的链接访问,安全性可以单独处理。您甚至可以为此服务器创建新用户。一些简单的服务器完成这项工作,例如有python和perl的服务器模块。甚至没有必要在php安装中启用exec!

  6. 运行另一个仅绑定到本地接口且无法从外部访问的Web服务器这是我首选的解决方案,因为调用php的链接可以通过主Web服务器的链接访问,并且可以单独处理安全性。您甚至可以为此服务器创建新用户。一些简单的服务器完成这项工作,例如有python和perl的服务器模块。甚至没有必要在php安装中启用exec!

  7. Run a daemon (inotify for example, to watch file events) or cronjob that reads some file or db-entry and then runs the command
    • This may be too complex and has the disadvantage, that the daemon can not check which script has generated the entry.
    • 这可能过于复杂并且具有缺点,即守护程序无法检查哪个脚本生成了该条目。

  8. 运行一个守护进程(例如,inotify,以监视文件事件)或cronjob读取某些文件或db-entry然后运行命令这可能太复杂并且有缺点,守护进程无法检查哪个脚本生成了该条目。