Is it possible to run exec() as a a different user (on my box it runs as www-data). I wish to execute a script that needs access to files that are not owned by www-data.
是否可以将exec()作为不同的用户运行(在我的盒子上它作为www-data运行)。我希望执行一个脚本,该脚本需要访问不属于www-data的文件。
4 个解决方案
#1
4
I had a similar requirement some years ago that required a few PHP scripts to talk to a serial port. The first serial port is typically /dev/ttyS0, owned by root and in the group dialout.
几年前我有一个类似的要求,需要一些PHP脚本来与串口通信。第一个串口通常是/ dev / ttyS0,由root拥有并在组拨出中。
For my initial setup, I added my apache user to the group dialout. The PHP scripts were able to directly talk to the serial port with no problem. However, only one instance of a script could open the serial port at any one time, so this solution could not work.
对于我的初始设置,我将我的apache用户添加到组拨出。 PHP脚本能够直接与串口通信,没有任何问题。但是,只有一个脚本实例可以在任何时候打开串行端口,因此该解决方案无法工作。
I then created a daemon that provided a layer between the serial port and the PHP scripts. The PHP scripts would talk to the daemon via a named pipe, and the daemon would then format the requests and pass it onto the serial port - doing a bit of caching along the way.
然后我创建了一个守护进程,它在串行端口和PHP脚本之间提供了一个层。 PHP脚本将通过命名管道与守护进程通信,然后守护进程将格式化请求并将其传递到串行端口 - 沿途进行一些缓存。
So, either add www-data, or whatever your apache user is, to the group that owns those files, giving group execution permissions, or use a proxy like I had. If security concerns you, then I'd go with the latter.
因此,要么将www-data或您的apache用户添加到拥有这些文件的组,给予组执行权限,要么像我一样使用代理。如果安全问题涉及你,那么我会选择后者。
#2
6
If you have access to the server's configuration (assuming it's Apache), you might consider using suPHP. In a virtual host's configuration you can explicitly set the user and group for which a PHP script is executed:
如果您可以访问服务器的配置(假设它是Apache),您可以考虑使用suPHP。在虚拟主机的配置中,您可以显式设置执行PHP脚本的用户和组:
<VirtualHost 192.168.1.1:80>
...
suPHP_UserGroup user group
...
</VirtualHost>
This setting is available for suPHP configurations built with the --with-setid-mode=paranoid option.
此设置适用于使用--with-setid-mode = paranoid选项构建的suPHP配置。
Another way to change the user ID would be posix_setuid() for which appropriate privileges are required. That would mean running your PHP scripts as root, which is a serios security issue.
更改用户ID的另一种方法是posix_setuid(),需要适当的权限。这意味着以root身份运行PHP脚本,这是一个严重的安全问题。
#3
1
No, not directly. If you are on a linux machine and have the rights, you can set the set the setuid bit on your file.
不,不是直接的。如果您在Linux计算机上并拥有权限,则可以在文件上设置setuid位。
Keep in mind that the webserver runs as a different user for a reason. It is a very important security mechanism and by working around it, you might cause a security vulnerability.
请记住,Web服务器由于某种原因以不同的用户身份运行。它是一种非常重要的安全机制,通过解决它,您可能会导致安全漏洞。
#4
0
You can change the user under which your server runs. This can be easily done using the windows version of apache (apache runs there as service and it is easy to configure the user under which apache runs).
您可以更改运行服务器的用户。这可以使用windows版本的apache轻松完成(apache在那里作为服务运行,并且很容易配置运行apache的用户)。
Which server plattform do you use?
你使用哪种服务器平台?
#1
4
I had a similar requirement some years ago that required a few PHP scripts to talk to a serial port. The first serial port is typically /dev/ttyS0, owned by root and in the group dialout.
几年前我有一个类似的要求,需要一些PHP脚本来与串口通信。第一个串口通常是/ dev / ttyS0,由root拥有并在组拨出中。
For my initial setup, I added my apache user to the group dialout. The PHP scripts were able to directly talk to the serial port with no problem. However, only one instance of a script could open the serial port at any one time, so this solution could not work.
对于我的初始设置,我将我的apache用户添加到组拨出。 PHP脚本能够直接与串口通信,没有任何问题。但是,只有一个脚本实例可以在任何时候打开串行端口,因此该解决方案无法工作。
I then created a daemon that provided a layer between the serial port and the PHP scripts. The PHP scripts would talk to the daemon via a named pipe, and the daemon would then format the requests and pass it onto the serial port - doing a bit of caching along the way.
然后我创建了一个守护进程,它在串行端口和PHP脚本之间提供了一个层。 PHP脚本将通过命名管道与守护进程通信,然后守护进程将格式化请求并将其传递到串行端口 - 沿途进行一些缓存。
So, either add www-data, or whatever your apache user is, to the group that owns those files, giving group execution permissions, or use a proxy like I had. If security concerns you, then I'd go with the latter.
因此,要么将www-data或您的apache用户添加到拥有这些文件的组,给予组执行权限,要么像我一样使用代理。如果安全问题涉及你,那么我会选择后者。
#2
6
If you have access to the server's configuration (assuming it's Apache), you might consider using suPHP. In a virtual host's configuration you can explicitly set the user and group for which a PHP script is executed:
如果您可以访问服务器的配置(假设它是Apache),您可以考虑使用suPHP。在虚拟主机的配置中,您可以显式设置执行PHP脚本的用户和组:
<VirtualHost 192.168.1.1:80>
...
suPHP_UserGroup user group
...
</VirtualHost>
This setting is available for suPHP configurations built with the --with-setid-mode=paranoid option.
此设置适用于使用--with-setid-mode = paranoid选项构建的suPHP配置。
Another way to change the user ID would be posix_setuid() for which appropriate privileges are required. That would mean running your PHP scripts as root, which is a serios security issue.
更改用户ID的另一种方法是posix_setuid(),需要适当的权限。这意味着以root身份运行PHP脚本,这是一个严重的安全问题。
#3
1
No, not directly. If you are on a linux machine and have the rights, you can set the set the setuid bit on your file.
不,不是直接的。如果您在Linux计算机上并拥有权限,则可以在文件上设置setuid位。
Keep in mind that the webserver runs as a different user for a reason. It is a very important security mechanism and by working around it, you might cause a security vulnerability.
请记住,Web服务器由于某种原因以不同的用户身份运行。它是一种非常重要的安全机制,通过解决它,您可能会导致安全漏洞。
#4
0
You can change the user under which your server runs. This can be easily done using the windows version of apache (apache runs there as service and it is easy to configure the user under which apache runs).
您可以更改运行服务器的用户。这可以使用windows版本的apache轻松完成(apache在那里作为服务运行,并且很容易配置运行apache的用户)。
Which server plattform do you use?
你使用哪种服务器平台?