I am a fairly new PHP coder. I have an Apache server running PHP 4.3.9 on which I am trying to bang up a small tool for our internal users. The tool is structured in the following way: PHP code ---calls---> Perl script ---accesses---> File on a protected file system
When you open up the .php page in the browser, authentication is automatic. It is taken care of in the background by, I believe, LDAP. $_SERVER["PHP_AUTH_USER"] & $_SERVER["PHP_AUTH_PW"] get populated automatically and correctly.
If I run a whoami in my PHP code, then I see the user as 'apache'. So the Perl script is called in the context and with the privileges of user 'apache'. These privileges are used to access the file on the protected file system. 'apache' doesn't have the required privileges to access this file & the Perl script fails. If I SSH to this server and run the Perl script directly on the shell, it works without any problems because it runs under my user privileges.
What I want to do is to run the Perl script with the privileges of the already authenticated user. I can probably figure out a way to just pass $_SERVER["PHP_AUTH_USER"] & $_SERVER["PHP_AUTH_PW"] to the Perl script as an argument and the use it to access the file. I was wondering if there is a better way to do it.
Any recommendations? Thanks in advance!
There's lots of ways to do this - the trick is doing it securely.
Ultimately the Perl script has to run with a different uid than the webserver. You've not said whether it's practical to change the code of the perl script. Possible solutions are:
1) amend the Perl script to run as a daemon, allowing socket connections to invoke from your PHP code - since you want to run it potentially as multiple users then it would need to run as root and know how to authenticate the credentials sent to it.
2) configure sudo on the system to allow the webserver uid to run the Perl script as a different user and prompt for authentication
3) configure [x]inetd to listen on a specific port and run the script as the desired uid when your PHP code connects - again this needs to start as root, validate the credentials and setuid() but doesn't need to run as a daemon.
4) use the ssh extensions in PHP to create a ssh connection to localhost as the desired user and run the script
(I don't see how invoking it via crontab provides for privilege seperation).