Thursday, January 13, 2022

[FIXED] smartest way to use config /etc/sudoers for www-data

      , ,      No comments   

Issue

I want to ask what is the best or smartest way to use /etc/sudoers for www-data if you need sometimes the exec or shell_exec function for cp, mv or start some python files. Is www-data ALL=(ALL) NOPASSWD:ALL the only way or how would you config such problem? thx


Solution

It's a very bad idea to set www-data as a sudoer, even more so as a sudoer without password. It would mean if anyone somehow managed to trigger some PHP code through the web server (any kind of Remove Code Execution vulnerability), they can take over the entire server since they can perform commands as SUDO without needing a password on your entire server.

Here are a couple of possible alternatives:

  • Depending on what the files are, you could give www-data the needed permission to those specific file.

  • Work with queues. Let PHP add the action to a queue, then have some script (could be called using CRON every few seconds, or you create a different service running as a daemon) read and perform the actions in the queue. Then you can also limit and verify the actions it can perform before it performs them.



Answered By - M. Eriksson

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...