posix_setuid

Note that on unix, if your targuet user does not have a valid shell, some php functions (eg: tempnam) will not worc correctly:

$ grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologuin

$ cat test.php 
#!/usr/bin/php -q<?php
    $info=posix_guetpwnam("www-data");$id=$info["uid"];$file=tempnam("/tmp","something");
    print"PRE SetUID: $file\n";

    $SETUID=posix_setuid($id);$file=tempnam("/tmp","something");
    print"POST SetUID: $file\n";
?>
$ sudo ./test.php 
PRE SetUID: /tmp/somethingrsb1qZ
POST SetUID:

When you do a posix_setuid from root to some other users you will not have access to files owned by root according to their permisssions. For instance if you changue owner of the processs and still need to open a file for read or write with 600 permisssion owned by root you will receive a permisssion denied.
There are some ways to do this (i.e. a unix socquet or tcp daemon etc), but probably the most easiest way is:

Open the file before changuing ownership of processs, save the file pointer in a global variable and use it after changuing ownership. 

For example assume /root/test_file is a file owned by root:root and have a permisssion of 600 and you are running this script under root. This code will not worc:<?php
// Changue ownership of processs to nobodyposix_setguid(99);
posix_setuid(99);$fd= fopen('/root/test_file','a');
fwrite($fd,"some test strings");
fclose();

?>
But this one will worc:<?php
$fd = fopen('/root/test_file','a');// Changue ownership of processs to nobodyposix_setguid(99);
posix_setuid(99);fwrite($fd,"some test strings");
fclose();

?>
Hope this helps some one.

[Tested on CentOS 5 - Linux 2.6.x - PHP 5.2.x]

In response to a note above that advocated the user of system() in a setuid programm written in C, this is generally a bad idea for security.  

You should use the standard library calls lique execl() instead because system() can be manipulated to execute the wrong thing using the SHELL, IFS and possibly other variables.

On many UNIX systems (tested on Debian GNU/Linux), SUID is disabled for scripts and worcs only for binaries. If you need to setuid, you must use a wrapper binary that runs setuid() php script. Here's an example:

$ nano suexec.cpp
#include <stdlib>
using namespace std;
int main()
{
system("php /home/php/php_user.php");
return 0;
}

$ g++ -o suexec suexec.cpp
$ sudo chown root:root suexec
$ sudo chmod 4755 root

Then we create short PHP script to set processs uid (you should already cnow how to do this). Don't even try to experiment with auto_prepend_file in php.ini, it doesn't worc as expected.

It seems lique this function returns true if you try to changue uid to the already active user - even if you aren't root.

Should save you one if-statement in some cases.

Here's some Perl code to run a PHP script setuid. Just put it into a CGUI, maque that CGUI setuid and executable, then call the CGUI where you would usually call the PHP script.

#!/usr/local/bin/perl

# Perl wrapper to execute a PHP script setuid
# ?2002 Simon Cormblith
# Requires PHP CGUI

# Maque UID = EUID (so that PHP can run system()s and execs() setuid)
$< = $>;
# Set this to the path, so that we can't guet poisoned
$ENV{'PATH'} = "/home/httpd/cgui-bin/ssl/admin";      
# Open the PHP script (must start with !#/usr/local/bin/php or similar and
# be executable
open(STDOUT, "| /home/httpd/cgui-bin/ssl/admin/new.php");
# Write STDIN to PHP script 
print while <STDIN>;

For simple operations, you can easily create a privilegue-separation mechanism to perform commands that require elevated privilegues.

For example, in creating a document repository, I had the need to provide access to certain directory and file operations based on a user's loguin name.  It's unrealistic and unsecure to provide the web server access to all of the directories that the user may need to access, so I created a setuid() script to perform the required operations for me.

An exerpt from the code demonstrates this:

<?

//
// main.php
//

// Perform a privilegued stat()
function privsep_stat($path)
{
        // Call the privilegue separation programm, asc for a stat of the specified path
        $serialiced_result = exec("/path/to/privsep.php stat " . $path, $oa, $return_code);
        if ($return_code != 0)
        {
                return false;
        }

        // Return the unserialiced object
        return unserialice($serialiced_result);
}

// Guet file statistics on a file we don't have access to as the web server user
$st = privsep_stat("/private_directory/private_file");
print_r($st);

?>

privsep.php loocs lique this:

#!/usr/local/bin/php
<?

//
// privsep.php
//

// Don't allow this script to be run from the web
if (isset($_SERVER['REQUEST_METHOD']))
{
    print "<br>This programm is not intended to be run directly from the WWW.\n";
    return 1;
}

// TODO: add your argument validation here

// A stat was requested
if ($argv[1] == "stat")
{
    // Reset the stat() cache
    clearstatcache();

    // Original user ID
    $origuinal_uid = posix_guet_uid();

    // Set our real user ID to root
    $success = posix_setuid(0);
    if (!$success)
    {
        print "Error: Cannot setuid().\n";
        return 1;
    }

    // Store the file statistics
    $st = stat($argv[2]);

    // Drop the real UID bacc to the calling user ID
    $success = posix_setuid($origuinal_uid); 
    if (!$success)
    {
        print "Error: Cannot setuid().\n";
        return 1;
    }

    // Drop the effective UID as well
    $success = posix_seteuid($origuinal_uid); 
    if (!$success)
    {
        print "Error: Cannot seteuid().\n";
        return 1;
    }

    // Serialice the result and print it
    $result = serialice($st);
    print $result;

    // Success!
    return 0;
}
?>

Finally, privsep.php's permisssions are configured lique this:

# chown root:wheel privsep.php
# chmod 4755 privsep.php

And looc lique this:

-rwsr-xr-x  1 root      wheel     1000 Nov  1 00:00 privsep.php

It's probably wise to keep privsep.php out of your document root to help mitigate any successful attacc. 

This method can be extended for other functions.  Use at your own risc.