I need to be able to access some shared folders on a number of windows server using a php script running on a Linux server. I only need to get the names of the files contained in the folders and the timestamp for when they where created.
The only solution I've come up with so far is to mount the share in Linux and access it from there. While this solves the problem, I have to do it as root (as far as I'm aware) which means that I either have to run scripts as root which is just plain stupid, or manually mount all shares which will be a serious pain to manage in the long run.
This leads to two questions.
- Anybody know of a better way to do it? I have administrative rights on all machines if that should be needed.
- What are the security issues I have to deal with here? I need to overcome the root problem, and I need to guarantee that the linux/php script can't edit/delete files on the windows machine, but I guess that there might be more problems than those lurking in the dark.
Having several hundred servers come and go with great enough frequency that editing /etc/fstab to add new filesystems is definitely an annoying constraint.
If all you're doing is listing files and modification times on the server, then the smbclient(1) command is a good starting point. smbclient(1) is a lot like an FTP interface for SMB and CIFS shares. The -c command line option lets you run a specific command; something like:
smbclient //$servername/$sharename -c "dir path/to/directory/"
If you're going to be doing more with the file than just listing modification times, then mounting the share as a filesystem will reduce the number of connect and authentication requests, and perhaps make parsing stat(2) output far easier than parsing plain-text representations of the data.
If you want to go down the route of mounting your filesystems, first split apart your script.
One small piece should take a servername, share path, and an optional mount path; it adds the (server, share, path) to /etc/fstab.
This portion could be setuid root. (Which is dangerous, but beats running the entire PHP script as root.)
Or, you could mount your filesystems with acl(5) support and add a new access control entry:
mount / -oremount,acl
setfacl -m www::rw /etc/fstab
Now the www user has privileges to modify the /etc/fstab file. (Note that I haven't actually tested addmntent(3) when ACLs have been used to give a user write access to /etc/fstab.) Be sure to modify /etc/fstab to always mount / with acl support, so this works across reboots.
You can use the addmntent(3) C library function to add new entries to /etc/fstab. I'd pick C over a scripting language if you're going to use a setuid root executable, and I'd probably pick C over a scripting language anyway, because addmntent(3) already knows how to write correctly formatted mount entries to /etc/fstab.
Include the user and noauto options so your script can run unprivileged and still mount shares as it needs them.
