Issue
I want to ask what is the best or smartest way to use /etc/sudoers for www-data if you need sometimes the exec or shell_exec function for cp, mv or start some python files. Is www-data ALL=(ALL) NOPASSWD:ALL the only way or how would you config such problem? thx
Solution
It's a very bad idea to set www-data as a sudoer, even more so as a sudoer without password. It would mean if anyone somehow managed to trigger some PHP code through the web server (any kind of Remove Code Execution vulnerability), they can take over the entire server since they can perform commands as SUDO without needing a password on your entire server.
Here are a couple of possible alternatives:
Depending on what the files are, you could give
www-datathe needed permission to those specific file.Work with queues. Let PHP add the action to a queue, then have some script (could be called using CRON every few seconds, or you create a different service running as a daemon) read and perform the actions in the queue. Then you can also limit and verify the actions it can perform before it performs them.
Answered By - M. Eriksson
Posts
