: Sudo mandatory for system() or exec() from PHP 5 In our enterprise we have several workers and collaborators. For the external collaborators, we have specific FTP accounts to restricted folders

@LarsenBagley505

The most secure thing to do in this instance is to prevent these temporary user accounts from having sudo access on the server. If they are able to upload a PHP file to the server and run it through their browser then this is a greater security hole than you may realise. On the first hand the server could be misconfigured to run PHP files as the user who uploaded them in which case that indicates that all these temporary contract users have been given root level sudo access which they shouldn't have. In the other case if the server is running all PHP files under the web server user (similar to www-user) which is the way it should be configured that then indicates that the www-user account has sudo access which is even more dangerous as anyone who connects to the web server can then run a sudo command if they can feed one in through a badly written PHP file that does not prevent dangerous commands being passed through it.

Best thing here is to limit sudo access to staff who absolutely need it and absolutely disable it for the apache www-user account.

Vote Up Vote Down