I am trying to make a web C++ compiler. Now I am stuck into a security issue of my website. I can run system("whoami"); and other malicious commands from my website to be runned on server. I am looking for a way to avoid that.
- Website sends user written code to PHP back end server
- PHP Server creates main.cpp file and writes code into.
- PHP runs shell_exec to compile main.cpp into .exe:
sudo g++ main.cpp -o compiled.exe
It was achieved by modifying sudoers file by adding: www-data ALL=(ALL) NOPASSWD: ALL
Yeah, it works only with sudo command, because PHP-user don't have access to g++?
If I run command without sudo, I got this error:
g++: fatal error: cannot execute 'cc1plus': execvp: No such file or directory compilation terminated.
I tried to check it with shell_exec("whoami");, and ir returns me www-data. How can I allow www-data to access g++ process without a sudo?
Would be nice to solve that without using sudo command. And next problem, I can write code in C++ which prints all directories/files of my server. I think I need to make a new user and allow to access only specific home directory for that user and allow to run only g++? I readed it can be done with chroot, but I am green with servers and configurations.
I found info on the net how to allow specific user to access only X folder, but not found how to allow to use g++ also. Thanks in advance for any help and sorry for my bad English :)
Idea:
- User registers on website
- PHP creates coder-1 (coder-id) user in system (linux)
- PHP creates /var/www/site/builds/1 directory.
- Need to allow coder-1 user to access only /builds/1 directory and g++ process to compile code which will be saved into this directory.
Here are my suggestions
1.Create a new group called gcc_compile (whatever name you want)
2.Check the g++ path
which g++Output:
/usr/bin/g++3.Check permission:
ls -ld /usr/bin/g++Output:
-rwxr-xr-x 4 root root 772704 Sep 30 2020 /usr/bin/g++Add permission for gcc_compile
chown root:gcc_compile /usr/bin/g++Add permission to path
chown php:gcc_compile /var/www/site/builds/1Add PHP users into gcc_compile group.
I Hope this works.