You should put setgid(getegid()); setuid(geteuid())
before calling system()
.
As a side-note, the way the file permissions are set up in your example, your "solution" is totally unsecure. Any user can change the contents of the .php script to be run by that setuid C program, and then use the C program to execute the changed contents as root
.