Executing commands greater than PHP is authorized to do

[NotionCommotion]

Trying to do the following:

1. ClientX operating as User123 creates a socket connection to Server, and Server accepts the connection.
   
2. At some time in the future, Server sends a message telling ClientX to perform some command (i.e. "ls /some/directory/").
   
3. ClientX executes the command using exec($request->command) where $request->command="ls /some/directory/".
   
4. ClientX captures the output of the command, and sends it back to Server.
   

Now, instead of Server requesting ClientX to perform the task "ls /some/directory/", it requests ClientX to perform some task which User123 does not have authority to do such as reboot, etc.

 

Will Server need to send ClientX each command prefixed with "sudo", and possibly useing sudo -S ..., or can this be performed differently?

 

PS.  Yes, I will whitelist and recognize this could be dangerous, and don't wish to change User123's permission to normally have permission to do these commands.

[requinix]

Your choice. Personally, if the server is telling the client to execute specific commands (not simply "show me the contents of /some/directory", which I think would be better) then the server is the one responsible for deciding what to do if the command is not allowed.

[NotionCommotion]

Agree it needs to be the server who is responsible, and likely will not even whitelist.  I meant to ask an almost totally different question, and instead of modifying this one, will just start over.  Thank you for your response.