Php sessions – is it possible to trigger a server script executed by a DIFFERENT user than www-data

apache-http-serverPHPtomcat

i am running a php+mysql site on a lamp ubuntu cloud server (amazon ec2). i use php sessions. the apache php user is called www-data.

for every session (SID), i need to create a temporary folder which is a subdirectory of www and has the session Id as its name (unpredictable, therefore cannot be pre-created). for example: /var/www/fileStore/s35S10nT3Mp/.

i will later access files in these folders from a javascript (client side) function.

i am working under the assumptions that:

  1. anything executed (or called) by the php code will run under the user www-data
  2. client-side javascript cannot access a subdirectory OUTSIDE www (for example: /var/outsideFileStore/s35S10nT3Mp/, where webroot = public_html = /var/www)

i would love to be wrong on one or both of the above, for it would solve my problem with no further ado. in case i am not wrong on either one of my assumptions:

i have a security issue with giving user www-data write permissions (necessary for php to mkdir the new folder) in a subdirectory of www, because that leaves the server and data in these folders too exposed.

i would like to know if a php session can trigger (or call) a server script / process that runs under another user (who would receive write permission in /var/www/fileStore/), not www-data. this process would then create (and garbage collect) these temporary folders.

corollary: in case this cannot be done under apache, would tomcat help (if i ran php under java as opposed to http_server)?

corollary 2: what if i ran a socket connection (from inside php) to a socket server (which i have in c++) and had the socket server (another user, obviously) do the file creation? is this overkill?

Best Answer

You can use setuid() functionality to run scripts and other things as another user.

I use the below wrapper script to run another script as a different user than www-data for a specific purpose on an Apache web server.

suid_wrapper.c:

#include <stdlib.h>

/*
 * C wrapper to run script as other user from Apache.
 *
 * Instructions:
 *   Run as root:
 *     gcc suid_wrapper.c -o make_stats.cgi
 *     chmod a+s make_stats.cgi
 */

// User ID and Group ID for wanted user.
int uid = 503;
int gid = 506;
// Path to script to be executed as above user.
const char* scriptpath = "/home/user/public/stats/make_stats.sh";

int main()
{
    // setgid() must be before setuid(); otherwise one has forsaken the privilege to change group.
    setgid(gid);
    setuid(uid);
    system(scriptpath);
    return 0;
}

Just call make_stats.cgi from Apache and the script given in the above file should be run as the user specified in the above file.

Related Question