-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make it possible to run occ as root #33545
base: master
Are you sure you want to change the base?
Conversation
occ
Outdated
if (posix_getuid() == 0){ | ||
$command = implode (' ', $argv); | ||
echo(shell_exec('sudo -u www-data '.$command)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (posix_getuid() == 0){ | |
$command = implode (' ', $argv); | |
echo(shell_exec('sudo -u www-data '.$command)); | |
if (posix_getuid() === 0) { | |
$command = implode (' ', $argv); | |
echo shell_exec('sudo -u www-data ' . $command); |
return code is being killed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
occ
Outdated
if (posix_getuid() == 0){ | ||
$command = implode (' ', $argv); | ||
echo(shell_exec('sudo -u www-data '.$command)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
occ
Outdated
// make it possible to run as root | ||
if (posix_getuid() == 0){ | ||
$command = implode (' ', $argv); | ||
echo(shell_exec('sudo -u www-data '.$command)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
www-data
might not be the default user name for the HTTP server though, mostly only Debian-based systems use that. RedHat-based systems or ArchLinux use an user named http
by default.
Also, does this forwards environment variables?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what we do in other places is read the user name from the config file, basically the owner of "config/config.php" and use that to check if the correct user is being used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense unless config_is_read_only
is used, then the config file owner could be something irrelevant such as root
, as long as the http server user has read access.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well in worst case you can not use the root shortcut then and need to manually sudo -u yourwebserver-user occ
?
@karlitschek I believe we can close this PR since it was originally planned/needed as a pre-requisite for Nc Guard, right? |
make it possible to run as root Signed-off-by: Frank Karlitschek <karlitschek@users.noreply.github.com>
5ec47c7
to
ab8c6f1
Compare
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Finding the right user is doable from config.php ownership guessing. The tricky part is STDIN/STDOUT/STDERR handling. Neither with shell_exec nor proc_open I was able to connect the parent process pipes with the child process. shell_exec makes the parent block when occ asks for input (e.g. when you make a typo or when it needs confirmation). I've pushed some fixes that make this work on a non-Debian system too. |
make it possible to run as root
To do