Run PHP via Linux, but not as user nobody

[OAFC_Rob]

I have an email address which when any emails are received they're use postfix to open a php file, which then on the first line execute php via linux. This works a treat and then will do the parsing of the email and upload attachments to my server. The issue is however, security at the moment the folder is set to 777 rights, NOT by me! 

#!/usr/bin/php -q
<?php
   
   //run this php script, doing this we will be using user "nobody"

I have tried setting up a new group and owner called upload but it doesn't work because at the point of execution we are set to linux's nobody user. 

 

I thought I could switch the user using the following command 

#! runuser -l upload -c /usr/bin/php -q
<?php 

  //my php script will now run 

However this didn't work! 

 

I have also tried altering the nobody alias to "upload" and then altered the folder owner and group to match this user, which didn't work. 

 

The only thing I have remotely got to work is setting the group to nobody allowing the file to upload to the server, but again this is not perfect because it seems there are three users required to upload hence why I tried to set up a new group. 

 

Any ideas would be appreciated, my usual stop of google isn't helping too much  

 

 

 

[trq]

It would be easy enough to wrap your script in a simple bash script to execute it via sudo.

 

Tampering with the shebang line won't help.

 

#!/bin/bash

sudo -u someuser /path/to/your/phpscript.php

[OAFC_Rob]

Wouldn't you be required to supply the password for the user in doing that though? 

 

Also the initial call to the script is being done via the cpanel so when an email comes in, it fires off to the scripted file 

/path/to/my/script.php

//Then within the script this happens 

#!/usr/bin/php -q
<?php

[trq]

Wouldn't you be required to supply the password for the user in doing that though?

No. You can configure sudo to not require passwords if need be, even locked down to specific commands as well.

 

Also the initial call to the script is being done via the cpanel so when an email comes in, it fires off to the scripted file

Surely you can configure what script is executed? Even still, you could easily enough create this simple wrapper using PHP instead of Bash if need be.

[OAFC_Rob]

So if I've understood you right I would do something like this. 

 

1. In the Cpanel alter the postfix alias to call a shell scrip 

/home/my_server/runShellScrip.sh

2. Within this shell script have the following information 

#!/bin/bash
sudo -u upload /home/my_server/public_html/upload/upload_script.php

3. Keep the called php script the same 

#!/usr/bin/php -q
<?php
  
   //call the php code, parse the email and upload the attachments 

[OAFC_Rob]

I got the following error emailed back to 

 

sudo: sorry, you must have a tty to run sudo

[trq]

The easiest solution to this issue is to disable the tty requirement within /etc/sudoers

 

Defaults requiretty

[OAFC_Rob]

Doing that would be a security risk would it not? Which is the whole point of us trying to lock down the uploads folder from 777 permissions

[trq]

It poses something of a security risk yeah.

 

You should be able to do it on a per user basis however which makes it pretty solid IMO.

 

Defaults requiretty
Defaults:upload !requiretty

There might also be some option to execute it via su but I would need to investigate that a bit.

[OAFC_Rob]

I've changed /etc/sudoers as mentioned, and tried again but it came back with the same response. Would I need to restart the server for this change to take affect??

[jazzman1]

 

 

Would I need to restart the server for this change to take affect??

 

No, only the mail server is enough to map a new user(s) to the tables.

 

What OS are you using for?