and just to be safe wrap it all up in a VIMAGE jail
On 1 October 2013 14:39, Ronald Klop <ronald-freeb...@klop.yi.org> wrote: > On Fri, 27 Sep 2013 23:50:02 +0200, Charles Swiger <cswi...@mac.com> > wrote: > > Hi-- >> >> On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdm...@gmail.com> >> wrote: >> >>> Hello there, >>> It's quite off-topic, but I'm using freebsd-stable,so >>> >>> The priblem is - running a script that requires root privileges via PHP >>> (or >>> probably CGI - I do not care, just want it to be secure and working). >>> >> >> Unfortunately the combination of PHP, doing something which needs root, >> and >> security are inherently contradictory. >> >> The least risky approach would be to invoke the needed command via sudo, >> or >> possibly a small setuid-root C wrapper program which launches only the >> needed script >> with root permissions. Use sudo unless your C wrapper is careful enough >> to use >> exec() and not system(), sanitizes $PATH and other env variables, and >> guards against >> games with $IFS, shell metachars, and such. >> >> Regards, >> > > Use sudo, because your home grown C wrapper will make all the mistakes > which are already solved in sudo. Or will be spotted in the future in sudo > and will never be spotted in your program. > Chances are high that future requirements of your C wrapper will turn it > in a little sudo. > > Ronald. > > ______________________________**_________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-**stable<http://lists.freebsd.org/mailman/listinfo/freebsd-stable> > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@**freebsd.org<freebsd-stable-unsubscr...@freebsd.org> > " > _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
