is there a safe way to run a script as root via apache?

sneakyimp

After much searching, I found a cool way to launch a daemon thread using exec:

$start_cmd = /path/to/script.php > /path/to/output.txt & echo $!';
$output = NULL; // will contain an array of output lines from the exec command
$result = NULL; // will contain the success/failure code returned by the OS.  Will be zero for a valid command, non-zero otherwise
$return = exec($start_cmd, $output, $result); // $return will contain the last line from the result of the command which should be the PID of the process we$

$start_results = array(
        'pid' => intval($return),
        'return' => $return,
        'start_cmd' => $start_cmd,
        'output' => $output,
        'result' => $result
);

The above code will return immediately and script.php will be started as a background process and can run indefinitely.

The problem I am having is that the script I want to launch is a socket server and, since it must bind to port 843, it must run as root. At least, I think it needs to run as root. It certainly gives me an error when I don't and it's my understanding that you can't bind to any ports under 1024 unless you are running as root.

At any rate, it seems to me that I could always to 'sudo' before the command. HOWEVER I don't know how I might go about supplying the password to a sudo command. Is there a flag you can use to supply the password in that single command? If not, I am not sure how to supply the password.

Also, this sounds a bit unsafe to me. The path to the script I want to run is basically hard wired but if someone were to edit the script it could run rampant with root permission.

Any advice about how to handle this situation would be much appreciated.

bpat1434

The ansewr is don't do it. Unless you create another user that has similar permissions to where it needs to be and chroot it to a specific area,... there's no "safe" way to do it.

I would rethink how it's working. Maybe run the service as a daemon all the time and have php connect to it as needed.

sneakyimp

The daemon/application is very simple. It's an endless loop that listens on a particular socket (843) for connections. When someone connects and says "<policy-file-request>", it send them the contents of a particular file. That's it. The reason for port 843 is because that is the port that Flash Player is hard-wired to connect to in order to obtain a socket policy file.

My goal here is to make starting/stopping this daemon convenient and easy.

One thing that has occurred to me is what to do if several users on a given machine all want to run this daemon process connecting to 843. Obviously that won't work because only one process can bind a given port. This makes me think that a system-wide service would be a better way to go. Perhaps create some way for individual users of a shared hosting machine to add their domain and port to those listed in the policy file by way of a database or something.

I'm starting to wonder if I should perhaps follow the example of apache or mysql which launch as root at startup and then change to some other user so they have fewer permissions. Hell, after binding to that port, I don't think this application needs any permissions at all except permission to open sockets and read or write them.