I am desperately trying to mount a CIFS share on a Debian 10 box through a web user interface and get it accessible for the whole system. The mount command is executed successfully but the mount point is not listed in /etc/mtab or /proc/mounts and therefore also not shown by the mount command.
I am using apache2 as a webserver and I tried different approaches all with the same result.
The goal is to use a php-script with Apache or Nginx that mounts a share that is valid and visible for the whole OS just like if I used the mount command on the commandline.
I have tried different ways with a mount.php that calls a bash-script to mount the share:
added www-data to sudoers without password and call the script containing "sudo mount ..."
used a c-compiled wrapper that is executed as root which calls a bash-script that mounts the share
installed php-fpm with a root-enabled socket to call the bash script
let the bash-script add the share into /etc/fstab and execute mount -a
All these approaches work as they should if called from the command line, even when called as www-data user (where possible).
They all also seem to mount the share when called through the web interface, because if I use the same techniques to launch a mount without any parameters in a php-script from the website the mount is listed as it should be. Also a second try to mount the share through the web interface gives the message that the device is busy.
But when I use the mount command without any parameters on the command line the mountpoint is not listed nor do I find it in /etc/mtab or /proc/mounts.
In the last approach, where I let the script edit the /etc/fstab and call a 'mount -a' the behaviour is exactly the same (listed in web interface but not on command line), but when I reboot the share is mounted as expected and visible.
So I am very sure that I am overlooking some kind of userspace / sandbox / terminal restriction where apache2 runs in that has some effect on the mount command. What is strange, because I even can edit the /etc/fstab with the scripts and seem to have root access to everything - even to mount, otherwise it would not start at all. But anyhow the mount command seems to write it's mount-results somewhere else when invoked through the web interface.
Does anybody have an idea that points me in the right direction?`
Thanks in advance,
Axel
Apache2 has a property "PrivateTmp" which is set in /etc/systemd/multi-user.target.wants/apache2.service. Try commenting it by putting a hash (#) in front of the line.
Mount uses the temp folder and if Apache uses a private temp folder it might not appear in the mount list.
If you have troubles with permissions, and dont want to dig too deep on that, i recommend to use a simple Write to File function in PHP, then, with a CRON JOB execute a script that if find that file, delete it, and execute the function you desire. That cron job should not have any permission issues on the complete computer.
Related
I have setup a web server and based on an HTTP request and need to execute a script as a different user.
So with regard to that, can I run HTTP as the user I need?
Or can I provide password non interactively and include something like below as the first line of the bat file.
runas /user:dmn1\user1 cmd
First of all its not a good idea to execute bat,sh or any other files from the commands can be tricked any ways.
You can use php's exec() to execute system commands.
If you're trying to execute the command as a different user in the web server itself then I don't know how that is done but If you're trying to execute cmd via browser it can be achieved via .hta script which might not work with modern browsers except IE.
Windows lacks built-in sudo-like functionality.
Your options are:
Use a 3rd-party tool such as psexec (requires specifying password in cleartext; might be a bit glithy sometimes) or sudo for windows (allows webserver user unrestricted administrative access - insecure).
Run another web-server instance with the required user credentials on a different port and redirect requests there with .htaccess (this may be very insecure!)
You can only allow local access and use CURL from 1st webserver to make requests to the second one
Open "task scheduler" (taskschd.msc) and create a task, select the user as owner and enter their password.
To run the task use:
schtasks /run /s SERVERNAME /tn "SCHEDULEDTASKNAME"
You cannot pass parameters to the task directly - you can use a file but beware of overlaps if two people access the HTTP simultaneously
Run a BATCH file (or a python/powershell/autoit script) that monitors a directory for files. When a file appears, read parameters from there, run the task, and delete the file.
You can run the "server" script via task scheduler.
HTTP server should then create files in that folder with long random names.
If creating files is undesirable you may be able to use a named pipe or local TCP connection (netcat) or similar
write a system service yourself (you may need a tool such as NSSM to actually make it run as a service )
My company have a cloud dedicated server, hosted in google cloud, running centos 7 with apache2, php5.5 and mariadb running.
The webserver is running a private application for business clients and companys. Every client has his own database and subdomain, so they, and their own clients can access his applicacion going to http://theirname.example.net/
I've created an interactive command line script for client creation. It creates user and secure password, ftp custom folder, create mysqldatabase and populate it with a sql file, create subdomains and other thing. Also i've made another version of this script with no user interaction, receiving parameters as the client name via command line arguments ( /path-to/script.sh usertocreate mysqluser mysql pass).
So, here is the deal, i want to create a web interface, password protected, just available for my company IP address, this interface should be able to run these SH scripts (not the interactive ones) with sudo permissions.
I was thinking on create a subserver in other port (like http://example.org:2501) using another instance of apache (or other webserver) which runs with a specified user with sudo permissions enables only in the neccesary folders.
Before doing anything, i've created a PHP script which runs commands to console, and tried to run SUDO commands with that. Allowing apache user to sudoers list (just to make it work during develop). I could run these scripts from my web app without SUDO permissions, but they where not working at 100% (since some commands require SUDO). When i try with sudo i receive a code 127 error responde (permission problem).
I stopped there and decided to investigate the best way to do this.
I have full control of the server machine. Apache2 and everything normal is running well. (mariadb, proftpd with passive mode active -100 ports added- )
SELINUX is DISABLED. Firewalld Running
SSH is available for use
I can install another webserver in another port to accomplish this. If a lot of HTTPD configurations should be changed to accomplish this, i will preffer to install another webserver
I can also install any 3rd party software.
I'm a PHP Developer with low experience in other programming languages, if it's necesary to invoke any other programming language to do this (maybe like Python) i would love some docummentation links
Access to this web application would be limited only to my company's static ip address and will be protected
Any thoughts/ideas ? Thanks in advance
PS: If someone want to edit my text and add some colours and format, edition will be aprovved
EDIT TLDR: I want to run another httpd in another with a webapi. This webapi should can run console commands as SUDO. Access to this webserver will be limited to my company's IP. I'm not sure if this is the best way to do it and i want opinions. Also, i'm not pretty sure if its possible to run sudo commands from php without any trouble.
I am writing a PHP script for the GUI of a Cent OS server. For testing purposes I have set up the Apache as localhost. Cent OS does not automount a connected USB device. In PHP I need to check if a USB device is plugged in then mount it and list the file content for the user. This is quite simple in bash, however I am unable to make it work in PHP. I have played around with both the exec() and the shell_exec() functions with no avail. I have tried the commands both manually i.e.:
shell_exec("sudo mount /dev/sdb1 /mnt");
and through a bash script:
exec("./mountlist.sh");
Is there a function in PHP I can call that will do the same thing, or am I missing something with the exec and shell_exec functions. Both functions work fine in the shell. Since mount is a root command I included sudo in the bash script.
You can't sudo from inside a PHP script - there is no way to type in the sudo password.
You could create a shell script and use the STICKY bit to have it run as the root user
http://www.dba-oracle.com/linux/sticky_bit.htm
That's how the passwd command can write to the password file owned by root even though you are running it as a normal user.
Also - you could grant the web user permission to mount/unmount file systems (add him to the fuse group on most systems), but that's more open-ended and rather dangerous if your web server gets hacked, so I would go with shell scripts and sticky bits for your purposes.
i read so many similar questions but nothing works with me
im using wamp 2.2 ,Apache 2.0 , PHP V5.3.8
safe_mode=off - disabled_functions deleted from php.ini i'm trying to exec
exec("chrome.exe google.com");
nothing happens and when i try
exec("calc");
the windows shows weird message to execute calc in different user although i changed the user for the apache service to Administrator and i verify the user using
exec("whoami");
where is the problem?
Environment path for CMD and php shell might not be the same.
You either have to give entire path of the file, or export the path of chrome.exe in php first
Also, I believe that chrome.exe opening a page requires XServer, php can't open graphical interfaces in shell. These commands are not passed to actual shell as a parent, so php file can't "launch" applications for you.
Please read specifics of the exec function:
PHP exec Reference
Also try adding 2> errors.txt to see what are the errors if any in the execution of the programme.
--
The program needs to know what X server to connect to, and it needs to have permissions to connect to that server. You specify the X server with the DISPLAY environment variable; this will usually be set automatically if you are running the PHP program from a terminal in
X, or from a GNOME panel or something similar; however, if you are running the PHP script in some other manner, it likely won't know what X server to connect to.
X has various ways of specifying permission to connect to a server, but the most common one is using a file called ".Xauthority" in the users home directory. Because only the user who is logged in at the X server can read this file, they are the only user who can run GUI programs. So, if you start the PHP user as the same user who is logged in at the X server, you shouldn't have any problem with permissions. However, if the PHP program is running as a different user, you will have to give that user permission to access the X server.
Reference: http://bytes.com/topic/php/answers/838364-cant-launch-graphical-apps-php-exec-ubuntu-8-04-system
(I know that link is for linux and won't have exact same solution for Windows, but exec() still needs to know which X interface to refer to)
Stop Apache running as a service.
When windows runs a service it it is not running directly as the user that started the server or manages due to this it could well be starting chrome in a service environment so you wont see it load on your desktop there are 2 ways to get around this
Stop apache service browse to your apache directory and run httpd.exe manualy then try your script it should work or if it is not required to be running though a web request so it not using anything from the browser you can allow it to work with c:\wamp\php\php.exe yourfile.php (your php path should be replaced for c:\wamp\php)
Try PHP script?
<?php shell_exec('notepad.exe');?>
It's working.
I have a local server which needs to make changes to a virtual hosts apache config file and then restart apache so the new config takes effect.
Can PHP do this? I tried passthru and exec but they didn't work. Maybe the problem is that I'm trying to restart PHP's parent process?
Thanks for any help!!
I've used a cron script (written in PHP, not executed from the webserver) to check a server is up and restart the server.
However, I wouldn't do this from a server-created process, because you know you're about to kill the parent process, which has bad implications for the child.
The simplest method would be to have a file /tmp/RESTART_APACHE which PHP can create, and which the cron script checks for. If the cron script sees the file /tmp/RESTART_APACHE then it does a proper restart of Apache.
Using a cron script will introduce a delay (up to 60s if you run it each minute), but apart from that should work as you want.
Depending on how you intend using this, that may do the trick.
(You probably want to use a different directory than /tmp/ to set permissions and prevent anyone on the server being able to create the file.)
EDIT: Please see Aaron H's comment to this post. I agree with what he says: you really do want to be careful that the ability to restart your webserver is not a service generally available to the public.
Restrict access to the system which can trigger the restart; ensure that the file which triggers the restart has restrictive permissions so only the web process can create that file, and generally be smart.
I've done this for the very exactly thing. However it was solely for a development environment, to quickly create virtual host for our developers on demand. Worked very pleasing well so far.
My approach was to create a new user on the system, give this user sudo rights to reload apache and from Apache->PHP I used SSH to localhost with an authorized key without passphrase to that user, issuing the command.
The reason for this was that I didn't wanted to give the apache user (usually www-data) the power in general to reload itself. I named the new user wwwctrl.
The command I used was:
ssh -i /path/to/key-file wwwctrl#localhost sudo /etc/init.d/apache2 reload
I had to execute this command manually one time as wwwctrl user to have the local host key being added to ~wwwctrl/.ssh/known_hosts.
I used proc_open() to watch the execution of the command.
In fact I was generating a batch of virtual hosts for different Apache installations on different systems so on every system I had this wwwctrl user to reload Apache, basically doing this in a "foreach hosts as host do ... wwwctrl#host#".
Wouldn't you want to pass a 'reload' instead of a 'restart?'
To do this you would need to edit the sudo file and then execute the restart command that is used on your system, using sudo of course. If you give details, I could tell you but do you even have access to do that? Is it hosted? Cron would probably be a better choice here though.
at will be able to do that, not sure if you can schedule down to the second but I guess that depends on the implementation
I would create a daemon to monitor the sites-enabled directory and restart Apache when files are added or modified. Then you don't have to wait up to 60 seconds as with a cron job.
This sorta thing violates the standard chain of command since apache invokes php, not the other way around. I second the cron suggestion. Just set a cron job with sufficient privileges to check for changes to the host file, and restart apache if any are found.