PHP - Run system commands as root. - Security

Question

I'm looking for some advice..

I've managed to get a php script to call another page which in turn runs system commands as root.

This is what I've done, I'd like to see if I can secure it.

In etc/sudoers.d I've added a file which contains a list of files the wwwrun user can run as root without needing a password. It contain entries similar to :

wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/filea
wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/fileb
wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/filec

My main web site has an test.php page, permissions on this are 777 & wwwrun:root

Within test.php I have some jquery, which is using ajax to call action.php&action=aaa

In action.php I have :

if ($_REQUEST['action']) == 'aaa') {
  exec('/Web/scripts/helper/filea', $res);
}

if ($_REQUEST['action']) == 'bbb') {
  exec('/Web/scripts/helper/fileb', $res);
}

if ($_REQUEST['action']) == 'bbb') {
  exec('/Web/scripts/helper/filec', $res);
}

filea contains a couple of bash commands. This file has 655 & root:root permissions.

The commands in filea, fileb and filec are fixed and if a variable is passed it's only to tell it to run another fixed command with in the file.

How can I make this more secure ? Obviously not having root access would be best, but I need to run some commands for moving, editing, updating, installing files etc.

UPDATE

Just to confirm this is working. I'd like to make it a little more secure.

I have tried changing the ownership to wwwrun:root and permissions to 744

This has made it so only root can edit the files, I assume that is a good idea..

Thanks

Answer 1

A few suggestions on securing the application, sorted by impact:

1. Try to re-design the system so that the root privileges are not required. You pointed out this one, if you can provide more details on the application functionality we could explore it. This is probably the best investment of your time to secure the application.

2. Protect the scripts against modification by non-root users. If wwwroot can modify the script contents they can run any command as root:

   • Ensure that the files are owned by root and a group that wwwdata belongs to and that no-one but root can modify them. You may restrict wwwrun permissions to execute-only and do away with the other permissions, otherwise an attacker can just overwrite the file content and execute arbitrary commands:

     wwwrun$ cp evil /Web/scripts/helper/filea && sudo /Web/scripts/helper/filea

   • Ensure that all paths up to and including the script are owned by root and that only root can modify them. Otherwise an attacker could just move directories around to execute arbitrary commands:

     wwwrun$ rm -rf /Web/script && mkdir -p /Web/script/helper

     wwwrun$ cp evil /Web/scripts/helper/filea && sudo /Web/scripts/helper/filea

   • Do that for all the commands you run from within your scripts

3. Make sure that all referenced commands and files use absolute paths

4. Review the security of the scripts you are executing: they run as root, if they are not designed to run as root (temporary files, insecure dependencies, etc.) an attacker will exploit them

5. Modify the sudoers file to ensure commands can't be run with arguments, by using the "" syntax, e.g.:

   wwwrun ALL=(ALL) NOPASSWD: /Web/scripts/helper/filea ""

6. Check for race conditions - e.g. an attacker can concurrently execute more than one command at the same time, check if this concurrency can introduce vulnerabilities. If needed ensure scripts do not run concurrently by using a locking mechanism

Answer 2

Try to giving root privileges to www-data too! It is required to has the www-data the right to read. You can also try to change the files owner and group to www-data.