After opening and reading every result on Google, I figured it's time to make my own thread somewhere. I am sorry that I need to ask a question that's already been asked before, I cannot stress this enough, but I have no other option as no other question asked has helped me achieve what my goal is.
I'm trying to setup a means of rebooting/doing other system functions through a web interface powered by HTML (for the buttons/text) and PHP (for the execution of the aforementioned functions).
I'm unable to get this to work. I've read that I need to add the web user to the sudoers file, and I've tried. I'm running Nginx on my server, how do I add the user to the sudoers in my case?
Also, I'm aware of the security risks.
The following is what I have so far:
HTML (index.html):
<body>
<h3>Restart</h3>
<p>
<form action="restart.php" method="get">
<input type="submit" value="Press me.">
</form>
</p>
</body>
PHP (restart.php):
<?php
echo "This is a test";
echo "<br>";
echo "<br>";
echo shell_exec('ifconfig');
echo "<br>";
echo "<br>";
echo "Restarting server...";
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
shell_exec("/sbin/reboot");
exec("/sbin/reboot");
system("/sbin/reboot");
?>
Mind you that here, I only have so many things attempting to execute, so that I make sure I hit the target when one of them works, if that makes sense. The IFConfig is just a test to make sure that it's actually able to execute.
Sudoers:
# User privilege specification
root ALL=(ALL:ALL) ALL
www-data reboot = NOPASSWD: /sbin/reboot
This is all on Ubuntu 14.04 LEMP.
You can do this either by editing your sudoers file :
Sudoers:
www-data ALL=(root) NOPASSWD: /sbin/reboot
The first ALL is for the hostname if you're hostname is not 'reboot' I advise you to keep ALL as it will work in any hostname. That's why it doesn't seem to work on your server
restart.php
exec('sudo /sbin/reboot');
Or without editing your sudoers file.
First create a file where you're gonna store you're root password
~/password :
myrootpassword
Second run any command you want while being root from php file (don't forget to specify the file which store your password)
phpfile.php :
exec('sudo -u root -S /sbin/reboot < ~/password');
www-data reboot = NOPASSWD: /sbin/reboot
this means you dont need a password when running sudo, not that the command runs as sudo when ever run by that user.
The answer is to use sudo /sbin/reboot as the command
You can use puty. I think using php is not a good plan.
Related
I'm working on creating my own little Website to manage a Minecraft server as fun project. Now what I would need to accomplish is being able to send commands to the screen in which the server is running.
My approach to this was the following:
<?php
if (isset($_POST['startbutton']))
{
exec('sudo screen -S 23971 -X stuff "say hello^M"');
}
?>
<form method="post">
<button type="submit" name="startbutton">Test</button>
</form>
Now that command line works just fine when i execute it in the terminal itself, but as soon as i try to run it over the Website nothing happens.
If i just try to execute
if (isset($_POST['startbutton']))
{
echo exec('whoami');
}
?>
it works just fine as well. I don't know what I am doing wrong.
i'm really not sure about it, but try:
<?php
if (isset($_POST['startbutton']))
{
exec('sudo screen -S 23971 -X stuff "say hello^M"');
exec('YOUR SUDO PSW');
}
?>
<form method="post" action="YOUR PHP PAGE LIKE server.php">
<button type="submit" name="startbutton">Test</button>
</form>
let me know if it works
Seems like you are trying to execute a command that needs superuser permissions. In most setups PHP runs under the webserver user and it does not have those permissions. Also you should keep in mind that giving superuser permissions to PHP is a security risk.
My suggestion would be to have a dedicated service, responsible for executing those shell commands. You could then call that service from your PHP script without needing sudo.
Check these for details:
https://serverfault.com/questions/622271/securely-executing-system-commands-as-sudo-from-php/622277
sudo in php exec()
First of all: Thank you all for your support.
I was doing a bit of further research and found a solution for my problem:
I created a new user which I then gave the ownership of /var/www.
I then changed the apache2 user from www-data to the new user.
Now i just needed to start the screen with the minecraft server as the new user so i can access this screen out of php and I was able to get it to work without having to give any user full root privileges or anything.
I want to restart mysql service on click of the button using php.
I have developed application using php till now I tried below things and facing the problem
<?php
if ($_GET['run']) {
# This code will run if ?run=true is set.
var_dump(exec("sh rst.sh"));
exit;
}
?>
<!-- This link will add ?run=true to your URL, myfilename.php?run=true -->
Click Me!
What I am getting is:
string(55) "Restarting mysql (via systemctl): mysql.service failed!"
rest.sh:
#!/bin/bash
/etc/init.d/mysql restart
while executing above file from the commnad line it asks for the password.
any help will be appreciated.
Thanks
Granting the user that runs PHP/web server permissions to restart any service is generally a bed idea from security perspective not even taking about permission to manage all system daemons or full sudo.
Once you have been warned, you have to make sure the user that is running the PHP script has the permission to run the restart command. As already stated, the issue has likely little to do with PHP. There are several ways from you to proceed here:
You can grant the PHP user the sudo permission to run the desired command and nothing else (how to do that is covered elsewhere) and invoke the command directly from PHP: sudo systemctl restart mysql.
Keep the rst.sh file, get it owned by root, writeable by noone else but root and set SUID bit on that file. This way you can invoke the script without sudo but the script will be run as root thanks to the SUID bit.
#1 feels safer and simpler.
You could also try with system():
<?php
if ($_GET['run']) {
# This code will run if ?run=true is set.
var_dump(system("sh rst.sh"));
exit;
}
?>
<!-- This link will add ?run=true to your URL, myfilename.php?run=true -->
Click Me!
Though your problem is coming from the script you are running (rst.sh). Check the commands in script, you probably need to a systemctl call with sudo.
In php try using this command
exec("/etc/init.d/mysql restart");
or push this command to rst.sh
be ensure have chmod +x on file rst.sh
Ok I need to run my Apache web server as root. For this I typed whoami; in terminal. It gives me output: root. But when I check my apache server running as a root user or not by executing following php-script: < ?php echo whoami; ?> It gives me output: nobody. So any suggestions to execute/login as a root user in apache??
I would suggest creating an external PHP file on your server that would handle everything related with this extension. And then, you could call this script with shell_exec in combination with sudo.
This way, you could put your webserver user in your sudoers file and let it run php-cli as root.
Then, in your script you could simply use:
$output = shell_exec("sudo /bin/php /yourscript.php");
This would be a much more secure solution than running Apache as root, which in my opinion, is a verry bad idea, even if you know what you are doing.
If you know what you are doing, look at the file /etc/apache2/envvars :
You can customize these variables
export APACHE_RUN_USER=root
export APACHE_RUN_GROUP=root
I echo the concerns running the apache process as root. Its just a bad idea.
Thats why I recently published a project that allows PHP to obtain and interact with a real Bash shell. Get it here: https://github.com/merlinthemagic/MTS
After downloading you would simply use the following code:
$shell = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);
$return1 = $shell->exeCmd('php /var/scripts/test.php');
//the return will be a string containing the return of the script
echo $return1;
I'm trying to create a PHP web interface for a staging->production publishing script. The web interface is secure (intranet,passworded etc) so I am happy to for apache act as the root user to perform the rsync. There is no password for the root user, a keyfile is used for SSH access.
I have tried sudo-ing the rysnc command in the shell script...
sudo rsync --verbose --recursive --times --perms --links --delete /tmp/dir1/* /tmp/dir2/
And allowing apache to run rsync by adding the following to the sudoers file...
apache ALL=(ALL) NOPASSWD:/usr/bin/rsync
I am using PHP shell_exec to invoke the script...
$result = shell_exec('bash /tmp/syncscript.sh 2>&1');
I get the following error...
sorry, you must have a tty to run sudo
How can I setup so I can run the rsync command as though I were the root user?
Thanks!
You might want to try what i wrote in this post if you want to use SUDO from PHP. It solved all my problems and i have a similar setup to yours, i have a DEV server internally but i want it to do things that only root can...
How to use exec() in php in combination with ssh 'hostname' command?
Good luck
In the end went for a non-sudo approach to this problem. Used phpseclib to get a connection to the box as a user that could do what I needed (not apache). And then made sure that the dirs/files that were being targetted in the rsync operation were accessible to this user.
Seems simple now I look back on it.
I have a script which calls the following command to get the number of unread messages:
sudo ls /var/vmail/username/new | wc -l
This works fine when running from the shell (permissions set up and it's running fine without providing password).
But when running from PHP using exec, it is executed as expected, but it always returns 0.
What may be causing this? How can I debug or fix the issue?
(php 5.3, redhat, apache with ~default config)
EDIT
Thanks ruaks for the tip. The problem is: sudo: sorry, you must have a tty to run sudo. Commenting out the entry in the /etc/sudoers helped:
Defaults requiretty
Defaults:apache !requiretty
But looks like this is not so good for security. Any other, better solution?
When executing PHP through apache, the process is owned by whichever user apache runs as. See: Finding out what user Apache is running as? As mentioned there, it's usually a security risk for that user to be in sudoers.
It is probably because you did not configure your sudoers. Go to /etc/sudoers and give permission to www-data to execute the script. So
vim /etc/sudoers
and then insert
www-data ALL=(root) NOPASSWD: full/script/path.sh
if you waqnt further debugging then when you login as root do
su www-data
and then once you log in as www-data try to run the script you are running in php and see what error you get
But looks like this is not so good for security. Any other, better solution?
Yes, that is a security risk. I don't know how dynamic this information needs to be; if you're just using it once in a while, and don't mind that it might be slightly outdated, you could opt for writing a cronjob that will execute the command and write the output into a temporary file apache can read.
If you desperately need this information to be 100% accurate and in real-time, you may want to go for another way to determine the number of new messages. If the mailbox is readable using - for example - imap or whatever, PHP has functions that can do the calculation without needing sudo. All in all, that seems to me like the most reusable and "cleanest" way to work anyway.
Adding apache to the sudo'ers file is a security risk, but then, if you add that it can only execute the command you want it to be able to execute like Quillion described, the risks lessen.