0

I wrote a script which "walks" through /var/www/xyz and scans folders and more. The folders are all 'user-bound', so the permissions for a single folder there are set to the specific user.

Running this script as root (for example in /root, 'php myscript.php') returns the expected results.

Now I want to transfer the results to the browser: in /var/www/newfolder I created a file index.php, just pasted the script into the file and tried it (in the browser) and of course failed. It just shows me a little part of the results (showing the user-specific folder names, when does not get deeper). Pretty sure it's a permission thing, being the www-user.

Phew, so the question is: is there a possibility to put a file with a function (for example) into /var, and allow a www user in the browser to ONLY CALL THAT function? If yes, any useful links or tips? (I googled really hard and a long time now, but what I found was worth nothing)

OR

Call a function in my /var/www/newfolder/ which has enough permission to scan the user-folders? (I guess that is critical regarding safety)

Improve this question

1 Answer 1

Reset to default
1

You are correct to be concerned about security. You can use the setuid bit to create an executable that runs as the owner of the executable instead of the user that called the executable. If the executable is owned by root then it would run as root (be sure not to give write privileges to anyone but root). Use group permissions if you want to limit who can run the executable.

Use chmod o+s <path to script> to turn on the setuid bit. (chmod 4750 <path to script> to allow the owner group to read and execute a file as the file's owner but allowing other users no access.).

An approach that does not require your script to run as root would be to set up the group owner and permissions of the folders that you want to scan so that the www-user can read the contents of the folder. Using the setgid bit on the folders will cause all files and folders created within these folders to inherit the group ownership.

Use chmod g+s <path to folder> to turn on the setgid bit. To set your /var/www/ folder (and subfolders) to group www-user and allow users in this group to access all the folders use (as root):

chgrp -R www-user /var/www/
chmod -R g+srX /var/www/
Improve this answer
7
  • Omg. Can't wait to try that (on monday). Wonderful and understandable answer, thanks a lot! Commented Sep 11, 2015 at 16:17
  • Your web server may be set up to run all php scripts as the owner of the script (allows script authors to access their private data from the scripts even though the web server doesn't have access to that data directly). You may want to run a script that shows you the output of the 'id' command to see what user and groups the script runs as. Commented Sep 11, 2015 at 16:25
  • Hey there, so what I did now is splitting the output and script into two files. Now I have got: /var/www/myfolder/index.php /var/www/myfolder/myfolder2/script.php I changed the rights as you said (chmod o+s ... and chmod 4750 ...). When looking at the index.php it won't show the output (permission problem). Have I made something wrong? Commented Sep 14, 2015 at 8:15
  • More info: in my index file I am including the script file.In the script file is a function, which I tried to call from the index file and even try to call it from within the script file. Both ways it is not working :/ Commented Sep 14, 2015 at 8:36
  • Have you tried writing a script to test what user and groups the script runs as when invoked? Commented Sep 17, 2015 at 21:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.