[SECURITY] Do not run playsmsd or playsmsd.php as root

playsmsd (symlinked to playsmsd.php or copied from playsmsd.php) must not be running as root.

This is because of the previous vulnerability that allows attacker to modify PHP files. While that bug was already fixed in 1.4.2 if by any means attacker can modify any playSMS PHP file, that PHP file might be loaded by playsmsd thus running playsmsd as root will be dangerous.

What you can do right now:

  1. Make sure that you’re using playSMS 1.4.2
  2. Make sure that your playsmsd (or playsmsd.php) is not running as root


  • Make sure that you are using at least playSMS 1.4.2, or for now even better just use Master version from Github
  • CVE was released for this vulnerability: https://github.com/TheeBlind/CVE-2018-18387
  • Make sure, again, that your playsmsd (or playsmsd.php) is running as non-root Linux user, for example run it as www-data instead


How to run Playsms from restricted user?


The same way, but just make sure that all folders, including logs also writable by that user. Change from config.php, look for location of log folder.

To run it from crontab, example run as www-data:

su -s /bin/sh -c "/usr/local/bin/playsmsd watchdog" www-data


1 Like