Page 1 of 1

Executing shell_exec() as root user

Posted: Thu Feb 11, 2010 3:48 pm
by devel95
Does anyone have a sample code line that shows the proper and successful use of the shell_exec() function to run as root? I have tried numerous ways to get it to work and I continue to either get permission errors or "sudo: must be setuid root" errors.

Further, is it possible to successfully use shell_exec() as root without having to make tweaks to the server?

Basically I am trying to create a flat text file above the web document root directory and save a few lines of text. Given my web user ("nobody") does not have directory permissions to this location, I am trying to evoke a bash script that I wrote to assist me with my objective. Everything works except the fact that I cannot get shell_exec() to run as root for a moment in order to allow the bash script to do its thing.

Also, storing values in a db table and running a cron task every 1-minute (which seems to be the most popular answer) will not work for me because the file I am trying to create is meant to hold my db connection string credentials. Thus I do not have access to the db at this point in the process.

Re: Executing shell_exec() as root user

Posted: Thu Feb 11, 2010 7:59 pm
by redmonkey
There is no safe/secure way to accomplish this as far as I'm aware as it would require including the root user password in plain text within a file/script and even then it may not be possible, depends on how your system is setup.

There are however a few ways which may possible...

If you create/touch the file while logged in as a user that has write access to the directory then change the file permissions to allow write access to everybody, you should then be able to write to the file without any problems. This is probably the easiest method but not great as anybody will be able to write to the file.

You could also attempt to set the 'set uid' bit on your bash script, worth a try but most OSs disallow this due to security issues.

Lastly, you could write a small command line utility (in some language that the OS recognises as a binary executable) that takes your database credentials as arguments and writes them to a file, you could then setuid on the executable.

If it were me, I'd opt for the last option and hardcode the filename of the file to be written within the utility.

I can't see that there is any real need for root privileges in this case you just need to run under a user that has write access to the particular directory.