Publicly-accessible PHP script run as root

DanH42

Active Member
Sep 11, 2011
35
0
56
Bloomington, IL
cPanel Access Level
Root Administrator
I've got some pre-defined maintenance functions (shell scripts) I'd like to be able to be triggered from outside the server. They're non-critical, and there's no risk if someone else gets hold of the URL and triggers them themselves. I'd like to just call them from PHP using shell_exec, but that's disabled in php.ini for all accounts for security reasons.

Obviously there will need to be lots of security considerations here. I'm well aware of that already.

I tried writing a WHM plugin (which is run as root, and can bypass the disable_functions restriction), but when I try requesting it I just see a login page, even though I set the ACL to "any". Is there a place I can put a PHP script where it will be run by WHM's PHP instance, accessible at myIP:2087, that can be called without logging in?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello :)

I have moved this thread to the "Security" forum. You should receive more user-feedback here.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Have you also disabled passthru? it can accomplish the same as shell_exec

Depending on your php handler, you could put a php.ini in the same directory as the php scripts to over-ride disable_functions just for that directory.

Personally I'd recommend you just set up a cron job in roots crontab to run the scripts periodically if that's an acceptable solution. It should be easier and more secure, especially if the stuff needs root privs anyway.
 

DanH42

Active Member
Sep 11, 2011
35
0
56
Bloomington, IL
cPanel Access Level
Root Administrator
passthru is also disabled, and I'd like shell commands to remain disabled. The commands I need to run do need to be executed as root, which is why I thought WHM's runtime would be a perfect place for them, since I wouldn't need to open any extra ports or anything.

Cron would be usable as a last resort, but I'd like to be able to call the scripts on demand, rather than at an interval.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You could probably make and register your own WHM plugin to run them, however, you would still need to log in. (edit: i see you tried this). I'm not aware of a way to do this without requiring login to WHM.

Honestly I would either just use cron, or do something like this;

Make a root cron which checks for $somefile, which can be created by an unprivileged users application. If $somefile exists, then your scripts run. I.e. have a php script that you can access publicly, that when accessed, touches an empty file ($somefile). When the root cron sees the file, it runs your other script and removes the file. It won't run the other script again until the check file is re-created by accessing the page. This should be pretty simple to accomplish, and eliminates the need for the php page you're accessing to have root privs.
 
Last edited: