[development] RFC: letting modules phone home to check for new releases
Larry Garfield
larry at garfieldtech.com
Thu Nov 23 02:33:50 UTC 2006
On Wednesday 22 November 2006 20:11, Steven Wittens wrote:
> Are we sure that you can't change the owner of the current process
> through Apache? We can execute arbitrary shell commands, if needed.
> The ideal solution could then be a script that can be invoked both
> from the web and from the command-line.
As far as I know, the only way to change the user the process is running as is
with the suexec apache module, in which case the process runs as the user
that owns the PHP script that is running. Otherwise, changing the owner of a
running process requires root access, something no web app should ever have.
Think about it from the other side: If you had a PHP script that could decide
to change the user it's running as to some arbitrary user, would YOU want it
on your server? I wouldn't.
> Through the browser, it would ask for your local username/password,
> and then perform the upgrade tasks (only from a very limited set of
> commands, e.g. unpacking module files and copying them into the right
> dir). From the command-line, it would just assume the current user is
> the right one already.
>
> Steven Wittens
All I can think of here off the top of my head would be exec()ing su, but
again any shared host that makes that possible I don't want to touch.
Although, there are web control panels for the system itself, like webmin.
I'm not entirely sure how they do their thing. That may be something to look
into, but I still expect that any shared web host worth the money is going to
not allow a normal user to run anything like that, on principle.
--
Larry Garfield AIM: LOLG42
larry at garfieldtech.com ICQ: 6817012
"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson
More information about the development
mailing list