suPHP 以 root 身份执行 PHP 脚本
我创建了几个网站。现在我需要执行 root 任务。我创建了一个网络平台并安装了。 root 拥有 /var/private-www/ 中的所有脚本,并且它们已被 chmodded (0777)。在 /var/private-www/test.php 中: 。我的 suPHP 配置是这样的:
[global]
;Path to logfile
logfile=/var/log/suphp/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=root
;Path all scripts have to be in
docroot=/var/private-www
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=0
; Minimum GID
min_gid=0
[handlers]
;Handler for php-scripts
application/x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
当我在浏览器中执行 test.php 时,它显示:www-data :(。不是 root...即使当我在命令行中执行它时,我也做了a2enmod suphp和apachectl restart,所以我认为它会起作用。我该如何解决这个问题?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
查看这些已知的 Web 应用程序攻击:OWASP。以 root 身份运行和 0777 权限都是您应该尽量避免的事情。
Take a look at these known web app attacks: OWASP. Running as root and 0777 permissions are both things you should try to avoid.
简短的回答:不要这样做。
任何需要以 root 身份运行的任务都应该通过 cron 作业来完成。
无论如何,你为什么要这样做呢?
Short answer: Don't do this.
Any tasks that needs to be run a root, should be done via a cron job.
Why are you trying to it this way, anyway?
我会后悔这么说,而且我不想成为推动者,但是:
您可能需要 重新编译。最小 UID 和 GID 不仅仅是可配置项,在编译时也会进行最少的检查。也不能保证不存在针对以 root 身份运行的硬编码检查。
您确实应该考虑一种执行所需任务的替代方法,该方法不涉及公开以 root 身份运行的 Web 应用程序。定期运行的 cron 作业(检查未完成的任务)或工作队列服务可以轻松实现这些目标。然后,Web 公开的前端不需要以 root 身份运行。
I'm gonna regret saying this, and I don't want to be an enabler, but:
You're probably going to need to recompile. The minimum UID and GID aren't (just) configurable items, there are minimum checks made at compile time as well. There's also no guarantee that there aren't hard-coded checks against running as root.
You really should consider an alternative method of performing your desired tasks that does not involve exposing a web application running as root. A regularly running cron job that checks for uncompleted tasks or a work queue service can easily accomplish these goals. The web-exposed front-end then does not need to run as root.
这不是您正在寻找的答案,但您应该考虑一下:
虽然在某些情况下您希望这样做,但以 root 身份运行所有 php 脚本通常是不好的做法,您可能会面临许多障碍。
避免这种情况的一种简单方法是使用 sudo。将您的命令添加到 www-data 的 sudoers 中,并让您的脚本使用 sudo 执行外部命令。
甚至外部 php 脚本也可以通过 sudo 以 root 身份运行。这样你就可以实现权限分离。
否则你将不得不以 root 身份运行 apache+modphp 或修改 suphp 的代码。
This is not the answer you are looking for, but you should consider this a bit:
Although there are cases where you would like to do so, running all your php scripts as root in general is bad practice and you may face a number of obstacles.
One easy way to avoid this is to use sudo. Add your commands to sudoers for www-data and let your scripts execute an external command with sudo.
Even external php scripts can be ran as root via sudo. This way you will achieve privilege separation.
Otherwise you will have to run apache+modphp as root or hack the code of suphp.