How to run a PHP script as root

This post shows how to execute PHP scripts as a root user on Ubuntu/Linux using visudo.

What do you need to run PHP as root?

You will need to use visudo and edit the sudoers file.

The visudo command is available on all UNIX and Linux systems. It provides a safe of editing the /etc/sudoers file. The sudoers file determines exactly ‘who’ can run commands. It also controls what commands a user can run. Most notably for our purpose, it identifies whether you need a password for particular commands.

How not to run PHP scripts as root!

It is not a good idea to give root permissions to the Apache user, which runs your PHP scripts. The Apache user must always request elevated permissions when it’s about to perform an action that could potentially harm your server.

In other words –

DO NOT use visudo to prevent the Apache user from elevating permissions (using the sudo command).

Why not? Well, a user could upload a malicious PHP script to your site. This PHP script can run a command that would usually require you to use sudo in Linux. The uploaded PHP script can then try to install malicious software.

The install will typically fail because Apache would need to request elevated permissions. Believe me when I say that this is a good thing.

The install will succeed if the Apace user is added to the sudoers file. This will only happen if you effectively give the Apache user permission to run PHP scripts as root. Adding the Apache user to the sudoers file is not a good idea!!!

How do you adjust the sudoers file with visudo?

The following examples assume that your Apache user is www-data.

The bad way –

Enter the following commands via SSH to add overrides to sudoers in Ubuntu using visudo:

sudo visudo -f /etc/sudoers.d/myOverrides

Add the following line to stop www-data from being asked a password.

www-data ALL=(ALL) NOPASSWD: ALL

Again, avoid this method at all costs! It is a bad idea.

The better way –

Create a shell script that executes the commands on behalf of the www-data user.

Add the following line to stop www-data from being asked a password when running a specific shell script. The www-data use will require elevated permissions to execute anything else.

www-data ALL=(ALL) NOPASSWD: /path/to/myscript/createUser.sh

The script in my example is called createUser.sh and will create a user on the Linux host. The PHP script can pass arguments to this script just like a normal logged-in SSH user.

Example of my SSH script createUser.sh:

#!/bin/bash
echo "Adding user $1..."
pwd=$(perl -e 'print crypt($ARGV[0], "password")' $2)
useradd -m -p $pwd $1

Example of my PHP script executing the createUser.sh script:

<?php
echo shell_exec("sudo /path/to/my/script/createUser.sh myUsername myPassword");
?>

You may also be interested in

About Anto Online

Anto, a seasoned technologist with over two decades of experience, has traversed the tech landscape from Desktop Support Engineer to enterprise application consultant, specializing in AWS serverless technologies. He guides clients in leveraging serverless solutions while passionately exploring cutting-edge cloud concepts beyond his daily work. Anto's dedication to continuous learning, experimentation, and collaboration makes him a true inspiration, igniting others' interest in the transformative power of cloud computing.

View all posts by Anto Online

One Comment on “How to run a PHP script as root”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.