[development] RFC: letting modules phone home to check for new releases

Larry Garfield larry at garfieldtech.com
Thu Nov 23 02:33:50 UTC 2006 

On Wednesday 22 November 2006 20:11, Steven Wittens wrote:

> Are we sure that you can't change the owner of the current process
> through Apache? We can execute arbitrary shell commands, if needed.
> The ideal solution could then be a script that can be invoked both
> from the web and from the command-line.

As far as I know, the only way to change the user the process is running as is 
with the suexec apache module, in which case the process runs as the user 
that owns the PHP script that is running.  Otherwise, changing the owner of a 
running process requires root access, something no web app should ever have.  

Think about it from the other side: If you had a PHP script that could decide 
to change the user it's running as to some arbitrary user, would YOU want it 
on your server?  I wouldn't.

> Through the browser, it would ask for your local username/password,
> and then perform the upgrade tasks (only from a very limited set of
> commands, e.g. unpacking module files and copying them into the right
> dir). From the command-line, it would just assume the current user is
> the right one already.
>
> Steven Wittens

All I can think of here off the top of my head would be exec()ing su, but 
again any shared host that makes that possible I don't want to touch.  

Although, there are web control panels for the system itself, like webmin.  
I'm not entirely sure how they do their thing.  That may be something to look 
into, but I still expect that any shared web host worth the money is going to 
not allow a normal user to run anything like that, on principle.  

-- 
Larry Garfield			AIM: LOLG42
larry at garfieldtech.com		ICQ: 6817012

"If nature has made any one thing less susceptible than all others of 
exclusive property, it is the action of the thinking power called an idea, 
which an individual may exclusively possess as long as he keeps it to 
himself; but the moment it is divulged, it forces itself into the possession 
of every one, and the receiver cannot dispossess himself of it."  -- Thomas 
Jefferson

More information about the development mailing list