Reputation: 13
smartest way to use config /etc/sudoers for www-data
I want to ask what is the best or smartest way to use /etc/sudoers for www-data if you need sometimes the exec or shell_exec function for cp, mv or start some python files. Is www-data ALL=(ALL) NOPASSWD:ALL the only way or how would you config such problem? thx
Upvotes: 1
Views: 450
Answers (1)
Reputation: 13635
It's a very bad idea to set www-data as a sudoer, even more so as a sudoer without password. It would mean if anyone somehow managed to trigger some PHP code through the web server (any kind of Remove Code Execution vulnerability), they can take over the entire server since they can perform commands as SUDO without needing a password on your entire server.
Here are a couple of possible alternatives:
Depending on what the files are, you could give
www-datathe needed permission to those specific file.Work with queues. Let PHP add the action to a queue, then have some script (could be called using CRON every few seconds, or you create a different service running as a daemon) read and perform the actions in the queue. Then you can also limit and verify the actions it can perform before it performs them.
Upvotes: 2
Related Questions
- How to allow user www-data use sudo commands without password
- Why adding a PHP script to sudoers file does not work?
- Is allowing www-data to execute commands without a password safe?
- Execute command with sudo via PHP
- Running a "sudo" command from a PHP script?
- LAMP security - www-data sudoer
- sudoers syntax to run shell script as php user?
- Symfony2 and sudo privileges
- Allowing a PHP script to ssh, using sudo
- Is this the right entry for the sudoers file to give php access to reload nginx?