and just to be safe wrap it all up in a VIMAGE jail
On 1 October 2013 14:39, Ronald Klop <[email protected]> wrote: > On Fri, 27 Sep 2013 23:50:02 +0200, Charles Swiger <[email protected]> > wrote: > > Hi-- >> >> On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <[email protected]> >> wrote: >> >>> Hello there, >>> It's quite off-topic, but I'm using freebsd-stable,so >>> >>> The priblem is - running a script that requires root privileges via PHP >>> (or >>> probably CGI - I do not care, just want it to be secure and working). >>> >> >> Unfortunately the combination of PHP, doing something which needs root, >> and >> security are inherently contradictory. >> >> The least risky approach would be to invoke the needed command via sudo, >> or >> possibly a small setuid-root C wrapper program which launches only the >> needed script >> with root permissions. Use sudo unless your C wrapper is careful enough >> to use >> exec() and not system(), sanitizes $PATH and other env variables, and >> guards against >> games with $IFS, shell metachars, and such. >> >> Regards, >> > > Use sudo, because your home grown C wrapper will make all the mistakes > which are already solved in sudo. Or will be spotted in the future in sudo > and will never be spotted in your program. > Chances are high that future requirements of your C wrapper will turn it > in a little sudo. > > Ronald. > > ______________________________**_________________ > [email protected] mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-**stable<http://lists.freebsd.org/mailman/listinfo/freebsd-stable> > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@**freebsd.org<[email protected]> > " > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
