[SECURITY] Do not run playsmsd or playsmsd.php as root


(Anton Raharja) #1

playsmsd (symlinked to playsmsd.php or copied from playsmsd.php) must not be running as root.

This is because of the previous vulnerability that allows attacker to modify PHP files. While that bug was already fixed in 1.4.2 if by any means attacker can modify any playSMS PHP file that PHP file might be loaded by playsmsd thus running playsmsd as root will be dangerous.

What you can do right now:

  1. Make sure that you’re using playSMS 1.4.2
  2. Make sure that your playsmsd (or playsmsd.php) is not running as root

anton


(Anton Raharja) #2

(Mapiiiaji) #3

How to run Playsms from restricted user?

Regards,
Jamshid


(Anton Raharja) #4

The same way, but just make sure that all folders, including logs also writable by that user. Change from config.php, look for location of log folder.

To run it from crontab, example run as www-data:

su -s /bin/sh -c "/usr/local/bin/playsmsd watchdog" www-data

anton