This post shows how you can execute PHP scripts as a root user on Ubuntu/Linux using visudo.
What do you need to run PHP as root?
You will need to use visudo and to edit the sudoers file.
The visudo command is available on all UNIX and Linux systems. It provides a safe of editing the /etc/sudoers file. The sudoers file determines exacly ‘who’ can run commands. It also controls what commands a user can run. Most notably for our purpose, it identifies whether you need a password for particular commands.
How not to run PHP scripts as root!
It is not a good idea giving the Apache user, which runs your PHP scripts, root permissions. The Apache user must always request elevated permissions, when it’s about to perform an action that could potentially harm your server.
In other words –
DO NOT use visudo to prevent the Apache user from needing to elevate permissions (using the sudo command).
Why not? Well, a user could upload a malicious PHP script to your site. This PHP script can attempt to run a command that would usually require you to use sudo in Linux. The uploaded PHP script can then try to install malicious software.
The install will typically fail because Apache would need to request elevated permissions. Believe me when I say that this is a good thing.
The install will succeed if the Apace user is added to the sudoers file. This will only happen if you effectively give the Apache user permission to run PHP scripts as root. Adding the Apache user to the sudoers file is not a good idea!!!
How do you adjust the sudoers file with visudo?
The following examples assume that your Apache user is www-data.
The bad way –
Enter the following commands via SSH to add overrides to sudoers in Ubuntu using visudo:
sudo visudo -f /etc/sudoers.d/myOverrides
Add the following line to stop www-data from being asked a password.
www-data ALL=(ALL) NOPASSWD: ALL
Again, avoid this method at all costs! It is a bad idea.
The better way –
Create a shell script that executes the commands on behalf of the www-data user.
Add the following line to stop www-data from being asked a password when trying to run a specific shell script. The www-data use will require elevated permissions to execute anything else.
www-data ALL=(ALL) NOPASSWD: /path/to/myscript/createUser.sh
The script in my example is called createUser.sh and will create a user on the Linux host. The PHP script can pass arguments to this script just like a normal logged in SSH user.
Example of my SSH script createUser.sh:
#!/bin/bash echo "Adding user $1..." pwd=$(perl -e 'print crypt($ARGV, "password")' $2) useradd -m -p $pwd $1
Example of my PHP script executing the createUser.sh script: <?php echo shell_exec("sudo /path/to/my/script/createUser.sh myUsername myPassword"); ?>
I hope you liked my post! Click here to see more great posts. Anto will love to hear from you, so feel free to post a comment or like this post. Share this post, and you shall receive millions of years of good Karma. Alternatively, Why not click here to follow me on Twitter?