I want to allow run specify command on my website, through PHP exec() function, so i found the way, to add www-data in sudoers.d files to allow run specify commands without asking password.
I tried next things:
check where is program catalogue
whereis hashcat -> hashcat: /usr/bin/hashcat
Add a new file to sudo visudo /etc/sudoers.d/www-data and add next line www-data ALL=(www-data:www-data)NOPASSWD: /user/bin/hashcat
Try to run it through www-data: sudo -u www-data sudo hashcat
And then i get this: [sudo] password for www-data:, that means it doesn't seems to work
What can i do wrong, and what i should do then? And is my decision to do so correct? Is there a better and safer solution?
That problem is solved, by removing the (www-data:www-data) so my "www-data: file in sudoers.d looks like: www-data ALL=NOPASSWD: /usr/bin/hashcat
Thanks all for answering and give me a hint to solve this! Especially thanks to #cyberbrain for my carelessness!
Related
There are many questions on this topic, but my situation is quite strange.
I am trying to print out exec("sudo -u root whoami") in php. But it returns nothing.
I added %www-data ALL=(ALL:ALL) ALL via sudo visudo but no luck on what is happenning, no error, just not printing out anything.
Any suggestion?
Thanks in advance
How is your webserver going to enter the password for sudo?
Your configuration allows the webserver-user to run all commands on the server. But that requires the user to enter their password. And the webserver
can't do that interactively
doesn't even have a apassword
So if you want to do what you try to do (giving the process running PHP root-access to the machine is a very bad idea) you should add this to your sudo-config:
%www-data ALL = NOPASSWD: /usr/bin/whoami
That allows the group www-data to run whoami as root without an interctive password-prompt
$lol = system("sudo gpg --clearsign asd.txt;");
Is it because I need the password for the gpg??
sudoers:
root ALL=(ALL) NOPASSWD:ALL
apache ALL=(ALL) NOPASSWD:ALL
www-data ALL=(ALL) NOPASSWD:ALL
You can't use sudo in this case, as it would ask for a password.
You can use sudoers to avoid the need of the password, only for some choosen commands, only for choosen some users, for security .
Here is some sample documentation, look for your OS one.
Please provide the error that may have occured (see both apache and bash error logs), as other problems can hide behind this one.
Edit :
In your case, the command you want to be sudoed without ask for pass is
"gpg --clearsign"
The user that actually launch this command is "www-data", not apache, so update your sudoers accordingly and this will work.
Edit2 :
Let's simulate the php behavior. Php (apache in fact, so www-data user) has to sudo command. Let's do this in bash :
su www-data
sudo gpg --clearsign asd.txt;
Can you see something new ?
Was the root password asked ?
Another password related problem, but on the gpg side this time :
gpg is asking for a password when decrypting a file, with a prompt.
As in php we can't type the pass in the prompt, we will have to send this pass in the command, with this argument :
--passphrase 12345
So your command shall become, with the correct pass, of course :
$lol = system("sudo gpg --passphrase 12345 --clearsign asd.txt;");
Okay so I want to change the file mode of a directory to 777 so I use the line
exec('chmod -R 777' . $dir);
where $dir is the directory path of the directory I wanna change
it doesn't seem to work but I don't get an error for it, also if the user I was executing the script from was a sudo user so I have to enter the password after I enter the command, how would I do this? Would it be something like exec('chmod -R 777' . $dir\n 'password'); ?
Information I get from this site
Execute system commands via PHP
Many a times we need to execute system commands on a Linux system – to delete a directory, or restart a service. However, since Apache does not run with root privileges, it is nearly impossible to use PHP’s exec(), system() or passthru() functions to achieve that.
The solution to this is very simple, specially on Ubuntu. The Apache’s user www-data need to be granted privileges to execute certain applications using sudo.
1.Run the command sudo visudo
2.At the end of the file, add the following
www-data ALL=NOPASSWD: /sbin/iptables, /usr/bin/du
This is assuming that you wish to run iptables and du using super user (root) privileges. However, if you wish to run every application using super user privileges, then add the following instead of what’s above
www-data ALL=NOPASSWD: ALL
3.That’s it, now use exec() in the following manner inside your .php script
exec ("sudo iptables -P FORWARD ACCEPT");
Usually to flush nginx cache, I use the unix command :
touch /var/ngx_pagespeed_cache/cache.flush
I'd like to know if I can do the same with php in order not to log on SSH to do it.
If yes, would this code work ? :
<?php
$flush_file = "/var/ngx_pagespeed_cache/cache.flush";
touch($flush_file);
?>
If not, could you point me on how to please ?
Many thanks in advance.
Reposted my own comment above for better formatting.
Well, I guess it would be safe enough to chown this file to user which run php/webserver ex. www-data. Then give him write permission on this file.
On Debian server it would be somethings like this:
sudo chown www-data /var/ngx_pagespeed_cache/cache.flush
sudo chmod +w /var/ngx_pagespeed_cache/cache.flush
I would like lauched a command in php over my RPI.
The command is echo 'standby 0' | cec-client -s, it's work fine in ssh my Tv shutdown, but in php echo shell_exec("......") return adapters autodetect FAILED ... But also mkdir doesn't work with sheel_exec, so i think it's probably PATH problem, but i don't know how to fix it. My PATH in ssh is /usr/local/bin....... and in php is /sbin:/bin:/usr/sbin:/usr/bin .
How i can fix it. Sorry for my english ...
I tried the same and got a message saying "failed to open vchiq instance". I found a question on Raspberry Pi StackExchange suggesting to add the user to the "video" group. I did that with usermod -a -G video www-data and then restarted apache with /etc/init.d/apache2 restart. Then I was able to use cec-client from PHP and apache.
It is permissions problem. While running command via ssh you executing it as user pi(probably), but via shell_exec you execute command as user www-data which do not have necessary permissions. You can check this by running echo shell_exec("whoami");
You can easly fix this by adding line "www-data ALL=(ALL) NOPASSWD: ALL" into your "/etc/sudoers" file and then run "echo shell_exec("sudo echo 'standby 0' | sudo cec-client -s");", hovewer this will add to the user www-data all of the sudo permissions and it is very unsecure, but it will work. If you want to do it more secure way you need to find which permissions cec-client required to run properly and then add them to user www-data.