I'm using PHP as apache module on linux. I also use apparmor to secure the system. When I want to send mails for myself with simply mail() function, I noticed that php wants to execute the shell (/bin/bash in our case, as /bin/sh is a symlink for that) even if I set /usr/sbin/sendmail in php.ini. I don't want to allow (in apparmor) that apache/php can execute the shell. I only want php to run the sendmail wrapper directly without involving the shell. Is it possible?
My other idea is to write a "shell like" binary which would check what command is wanted to be execute. It's a great idea in my opinion if PHP can't be made to skip using shell, then use a wrapper which can be even made to log tries executinging unwanted stuffs and so on (I would also use to log the UID as I have vhosts with different unix uid run as - this is the plan). However in this case there is only one thing I don't know: how can I set for PHP to use a given executable as the shell? In general, globally, for system() etc functions as well. I tried to use SetEnv in apache to set SHELL variable but it does not work, PHP still tries to use the default /bin/sh ...
To explain: I must (not mine node, etc) use PHP mail() function on Linux, it's not an option to use other solution to send mail, for example remote SMTP server, if it means any code change on the PHP scripts.
Thanks!