Security implications of adding www-data to /etc/sudoers to run php-cgi as a different user
Posted
by
BMiner
on Server Fault
See other posts from Server Fault
or by BMiner
Published on 2012-09-26T14:49:18Z
Indexed on
2012/09/26
15:39 UTC
Read the original article
Hit count: 307
What I really want to do is allow the 'www-data' user to have the ability to launch php-cgi as another user. I just want to make sure that I fully understand the security implications.
The server should support a shared hosting environment where various (possibly untrusted) users have chroot'ed FTP access to the server to store their HTML and PHP files. Then, since PHP scripts can be malicious and read/write others' files, I'd like to ensure that each users' PHP scripts run with the same user permissions for that user (instead of running as www-data).
Long story short, I have added the following line to my /etc/sudoers
file, and I wanted to run it past the community as a sanity check:
www-data ALL = (%www-data) NOPASSWD: /usr/bin/php-cgi
This line should only allow www-data to run a command like this (without a password prompt):
sudo -u some_user /usr/bin/php-cgi
...where some_user
is a user in the group www-data. What are the security implications of this?
This should then allow me to modify my Lighttpd configuration like this:
fastcgi.server += ( ".php" =>
((
"bin-path" => "sudo -u some_user /usr/bin/php-cgi",
"socket" => "/tmp/php.socket",
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
),
"broken-scriptfilename" => "enable"
))
)
...allowing me to spawn new FastCGI server instances for each user.
© Server Fault or respective owner