| Webapp PHP executing external java programs [message #180697] |
Mon, 11 March 2013 20:24  |
israel
Messages: 3
Registered: March 2013
Karma: 0
|
Junior Member |
|
|
Hello,
I have a webapplication written in PHP.
From this app I have a list of different java programs that run outside the php environment and produce some output.
Basically from the webbapp I need to start and stop these external java programs. (Stop the program is not a problem)
For example I should run something like:
START
"java -cp lib/mylibs.jar mycode.HelloWorld"
STOP
write a special signal in my DB, this is already working properly.
I know that I can do it I am just asking how do you think I need to organize my filesystem to keep it safe, any suggestions or example that I can check ??
Any framework I can use for this purpose ?
Security is extremly important and I have to avoid that someone can explit this and execute commands on my server...
thank you
|
|
|
|
| Re: Webapp PHP executing external java programs [message #180698 is a reply to message #180697] |
Mon, 11 March 2013 21:24  |
J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 11/03/13 21:24, israel wrote:
> Hello,
>
> I have a webapplication written in PHP.
> From this app I have a list of different java programs that run outside the php environment and produce some output.
> Basically from the webbapp I need to start and stop these external java programs. (Stop the program is not a problem)
>
> For example I should run something like:
>
> START
> "java -cp lib/mylibs.jar mycode.HelloWorld"
>
> STOP
> write a special signal in my DB, this is already working properly.
>
> I know that I can do it I am just asking how do you think I need to organize my filesystem to keep it safe, any suggestions or example that I can check ??
I guess you are thinking of exec() and the similar functions, while I
worked with web hosting, those functions was one of the most used to
install bots and other nasty things on the web servers, so I took the
maybe most unpopular decision and disable them all in the php.ini.
I would opt for a service which starts the java applications, the
service running as a really low privileged user, the service would just
start the right application when called from the php script, just taking
as few arguments as possible, for example just the "application name",
even if the web page would be compromised, nothing else would not be
possible to start than those things you already have decided and as they
run as unprivileged user, there shouldn't be much harm done.
> Security is extremly important and I have to avoid that someone can explit this and execute commands on my server...
See to having SELinux up and running, will limit what each user can do,
for example if you go with the daemon option, you could limit the user
to be only able to start those java applications and nothing else.
--
//Aho
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]