Security implications of adding www-data to /etc/sudoers to run php-cgi as a different user

Posted by BMiner on Server Fault See other posts from Server Fault or by BMiner
Published on 2012-09-26T14:49:18Z Indexed on 2012/09/26 15:39 UTC
Read the original article Hit count: 303

Filed under:
|
|
|
|

What I really want to do is allow the 'www-data' user to have the ability to launch php-cgi as another user. I just want to make sure that I fully understand the security implications.

The server should support a shared hosting environment where various (possibly untrusted) users have chroot'ed FTP access to the server to store their HTML and PHP files. Then, since PHP scripts can be malicious and read/write others' files, I'd like to ensure that each users' PHP scripts run with the same user permissions for that user (instead of running as www-data).

Long story short, I have added the following line to my /etc/sudoers file, and I wanted to run it past the community as a sanity check:

www-data ALL = (%www-data) NOPASSWD: /usr/bin/php-cgi

This line should only allow www-data to run a command like this (without a password prompt):

sudo -u some_user /usr/bin/php-cgi

...where some_user is a user in the group www-data. What are the security implications of this?

This should then allow me to modify my Lighttpd configuration like this:

fastcgi.server += ( ".php" =>
    ((
        "bin-path" => "sudo -u some_user /usr/bin/php-cgi",
        "socket" => "/tmp/php.socket",
        "max-procs" => 1,
        "bin-environment" => (
            "PHP_FCGI_CHILDREN" => "4",
            "PHP_FCGI_MAX_REQUESTS" => "10000"
        ),
        "bin-copy-environment" => (
            "PATH", "SHELL", "USER"
        ),
        "broken-scriptfilename" => "enable"
    ))
)

...allowing me to spawn new FastCGI server instances for each user.

© Server Fault or respective owner

Related posts about php

Related posts about security