NYCPHP Meetup

[Kenneth Dombrowski]

On 09-07-30 17:05 -0400, Ajai Khattri wrote:
> Most probably your PHP script will be running under the same username as 
> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you 
> wouldn't want to give www or nobody sudo privilege anyway!).

All this talk about sudo not working made me curious -- why shouldn't it
work?  It will, and a well configured sudo offers a very fine level of
control -- though whether one wants to do it is another question

# visudo
Defaults:www-data       !lecture
Defaults:www-data       !authenticate
www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache 

The first two lines get rid of sudo's usual prompts, since it will never
run interactively, & the last specifies a single command + argument
www-data is allowed to run as kenneth (you can use shell-style globs) 

# sudo.php
<?php
header('Content-type: text/plain');
$f = '/tmp/sudoer.apache';
system("sudo -u kenneth /usr/bin/touch $f");
print "\n$f exists? " . (bool) file_exists($f);

kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
   /tmp/sudoer.apache exists? 1
kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache 
-rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache

So on debian, www-data successfully created a file as kenneth.  On FreeBSD
I think www/nobody/whatever has a /bin/false shell, so there it won't
work.  Of course, you shouldn't do it on shared hosts, and I'm sure
somebody will tell me you shouldn't do it at all, but its not due to a
technical limitation