April 27th, 2013, 08:47 PM
A question/discussion on system privileges and web apps
This question could probably be posted in the php forum, but I doubt it would yield any propper results.
Im dabbling with a project in which I would like to perform som basic tasks in relation to network management through a web based interface (php) thus running on a web server (apache2)
My main problem is that a lot of these functions would require root privileges, such as socket_create for creating icmp,tcp,udp packets what have you.
To get it out of the way, we should not run anything public as root. But then what?
I have found out that one can setcap cap_net_raw=eip /usr/bin/php5 to enable php to create raw and packet sockets.
But what other solutions are available beside running as root/sudo/uid=0 and setcap?
Would it be possible to contain the system functions and app to limit access to the kernel?
How does commercial projects like pfsense deal with this issue?
let me hear your thoughts on this