How can I ensure a user can not run a PHP script and that it is only ever run as part of a cron job?
如何确保用户不能运行PHP脚本,并且该脚本只能作为cron作业的一部分运行?
5 个解决方案
#1
15
You can set an environment variable in your crontab. A line like IS_CRON=1 can be placed at the beginning of your crontab, then check in your php program for get_env("IS_CRON") == 1.
您可以在crontab中设置一个环境变量。可以在crontab的开头放置一行IS_CRON=1,然后在php程序中检查get_env(“IS_CRON”)=1。
Of course, you should also use file permissions as they're not so easily bypassed. If this is run as part of root's cron, chown root:root yourscript.php and chown 700 yourscript.php.
当然,您也应该使用文件权限,因为它们不容易被忽略。如果这是作为root的cron的一部分运行,那么chown root:root yourscript。php和chown 700 yourscript.php。
As ircmaxell says, it'd be better to run as a user other than root assuming you don't need root permissions for what you're doing. I was just taking a guess about your setup.
正如ircmaxell所说,如果您所做的事情不需要root权限,那么最好作为用户而不是root用户来运行。我只是猜一下你的计划。
#2
8
How about having your PHP script check if $_SERVER['REMOTE_ADDR'] is empty, and if it is not, then have the script exit without doing anything further.
让您的PHP脚本检查$_SERVER['REMOTE_ADDR']是否为空,如果不是,那么在不做任何操作的情况下执行脚本退出。
#3
5
There are probably a number of ways to do this. Off the top of my head, I would say that placing it in a directory owned by root, and only readable by root might get close to achieving the effect you are looking for.
可能有很多方法可以做到这一点。在我的脑海中,我想说,将它放在根目录中,并且只有根目录可读,可能会接近实现您正在寻找的效果。
Are there any processes you are looking specifically to restrict it from? If so, using permissions, make it not readable to any of those processes.
你有没有特别想要限制它的进程?如果是这样,使用权限,使其不能读到这些进程中的任何一个。
#4
2
I would suggest setting an environment variable within your crontab and then checking for this within your PHP script
我建议在crontab中设置一个环境变量,然后在PHP脚本中检查这个变量
#5
1
Create a user for cron jobs, and set permissions of the script so it can only be run as this user. Of course you then need to put the script in that user's crontab, which you can do by logging in as that user and running crontab. Just don't give that user's password to just any other user...
为cron作业创建一个用户,并设置脚本的权限,使其只能作为该用户运行。当然,您需要将脚本放到用户的crontab中,您可以作为用户登录并运行crontab。只是不要把用户的密码给其他用户……
At first I was also thinking of setting an environment variable which would prevent running this script from the web... But just not putting the script in the space where the web server looks for pages for websites, would do the same.
一开始我也在考虑设置一个环境变量来阻止从web运行这个脚本……但是,如果不将脚本放在web服务器为网站查找页面的空间中,就会产生同样的效果。
And nothing is stopping a random user from first setting the environment variable and then running the script.
没有什么能阻止一个随机的用户首先设置环境变量,然后运行脚本。
#1
15
You can set an environment variable in your crontab. A line like IS_CRON=1 can be placed at the beginning of your crontab, then check in your php program for get_env("IS_CRON") == 1.
您可以在crontab中设置一个环境变量。可以在crontab的开头放置一行IS_CRON=1,然后在php程序中检查get_env(“IS_CRON”)=1。
Of course, you should also use file permissions as they're not so easily bypassed. If this is run as part of root's cron, chown root:root yourscript.php and chown 700 yourscript.php.
当然,您也应该使用文件权限,因为它们不容易被忽略。如果这是作为root的cron的一部分运行,那么chown root:root yourscript。php和chown 700 yourscript.php。
As ircmaxell says, it'd be better to run as a user other than root assuming you don't need root permissions for what you're doing. I was just taking a guess about your setup.
正如ircmaxell所说,如果您所做的事情不需要root权限,那么最好作为用户而不是root用户来运行。我只是猜一下你的计划。
#2
8
How about having your PHP script check if $_SERVER['REMOTE_ADDR'] is empty, and if it is not, then have the script exit without doing anything further.
让您的PHP脚本检查$_SERVER['REMOTE_ADDR']是否为空,如果不是,那么在不做任何操作的情况下执行脚本退出。
#3
5
There are probably a number of ways to do this. Off the top of my head, I would say that placing it in a directory owned by root, and only readable by root might get close to achieving the effect you are looking for.
可能有很多方法可以做到这一点。在我的脑海中,我想说,将它放在根目录中,并且只有根目录可读,可能会接近实现您正在寻找的效果。
Are there any processes you are looking specifically to restrict it from? If so, using permissions, make it not readable to any of those processes.
你有没有特别想要限制它的进程?如果是这样,使用权限,使其不能读到这些进程中的任何一个。
#4
2
I would suggest setting an environment variable within your crontab and then checking for this within your PHP script
我建议在crontab中设置一个环境变量,然后在PHP脚本中检查这个变量
#5
1
Create a user for cron jobs, and set permissions of the script so it can only be run as this user. Of course you then need to put the script in that user's crontab, which you can do by logging in as that user and running crontab. Just don't give that user's password to just any other user...
为cron作业创建一个用户,并设置脚本的权限,使其只能作为该用户运行。当然,您需要将脚本放到用户的crontab中,您可以作为用户登录并运行crontab。只是不要把用户的密码给其他用户……
At first I was also thinking of setting an environment variable which would prevent running this script from the web... But just not putting the script in the space where the web server looks for pages for websites, would do the same.
一开始我也在考虑设置一个环境变量来阻止从web运行这个脚本……但是,如果不将脚本放在web服务器为网站查找页面的空间中,就会产生同样的效果。
And nothing is stopping a random user from first setting the environment variable and then running the script.
没有什么能阻止一个随机的用户首先设置环境变量,然后运行脚本。