We Keep Coding

create a shell.sh which anyone can execute which internally runs as root

Can I write a shell script which anyone can execute which INTERNALLY switches user (or elevates to root) and then runs those commands without exposing the executing user to root privileges?
Some background: I have a shell script which gets a file from my local network (using smbclient) and then converts and treats said file to a csv ready to import into my MYSQL DB. I can run the file as myself but when I try and execute it thru in PHP exec() or shell_exec() I get permission issues because it's user is www-data.
I've spend a day tring various file permision changes, apending the path environment and even reading up on granting www-data sudo rights (without success) but, rather than all that can I create a file anyone (www-data) can execute and safety perform the commands within (and only the commands within) as my user or sudo?

you can do this by editing /etc/sudoers
sudoedit /etc/sudoers
add this line
Cmnd_Alias YOUR_CMD_ALIAS= /path/yourShellScript
[User's name] ALL=(ALL) NOPASSWD: YOUR_CMD_ALIAS
then execute your code with sudo
sudo /path/yourShellScript

Permission denied when logging on /var/log from a php script

I found my crontab scripts do not work as expected because they cannot write on /var/log. I tried executing command:
sudo /usr/bin/php /var/www/html/iPhone/inarrivo/php/rome/process.php >>
/var/log/romeLoading.log 2>&1
by hand and got:
-bash: /var/log/romeLoading.log: Permission Denied
/var/log permissions are:
drwxr-xr-x. 13 root root 4096 15 ago 16.20 .
If I conversely execute:
sudo touch /var/log/loadRome.log
I get no error whatsoever.
What could be the issue?
Please note Apache is not at stake: I am calling those scripts from the root crontab and from the shell with sudo as a test.

best guess: the user running the shell doesn't have write access to /var/log/romeLoading.log , and the stdout redirect (>>) is redirected by the shell user, not the sudo user, thus the access denied on >> , but not on sudo touch. maybe try
sudo sh -c '/usr/bin/php /var/www/html/iPhone/inarrivo/php/rome/process.php >> /var/log/romeLoading.log 2>&1'
that should run sh as root, and have the root-sh do the redirect with root permissions. untested though.
and next time you want to post permissions for debugging, post the namei -l path/to/file output, it gives much more info than stating the single file itself when debugging permission issues, as the issue can be higher up than the file itself, like the folder its in, or the folder that the folder it's in, is in, etc~ and namei gives you, recursively, detailed permission information on all of them.

It's a permissions issue as the log file belongs to root user and apache runs off www-data. Try chown www-data:www-data /var/log/loadRome.log.

Execute php script without permission from web

I'm trying to execute a php script but i'm having this kind of errors:
Warning: file_put_contents(/sys/class/gpio/export): failed to open stream: Permission denied in /home/pi/php-gpio/src/PhpGpio/Gpio.php on line 99
Warning: file_put_contents(/sys/class/gpio/gpio17/direction): failed to open stream: Permission denied in /home/pi/php-gpio/src/PhpGpio/Gpio.php on line 103
I've tried to set up the permission in the $ sudo visudo like this:
www-data ALL=NOPASSWD: path/to/my/script
or
www-data ALL=NOPASSWD: ALL
but is not working, i'm able to execute this script only with sudo form the command line!
Thanks in advance!

If you using in your computer, you must change the default directory permission:
$ sudo chmod -R +w /sys/class/gpio/export
else if you run code in a server, in server panel and in section files (e.g. CPanel) change permission and add write right.
Another way is running exec() command:
<?php
exec('chmod -R +w /sys/class/gpio/export');
?>
However, php should have exec right and running with root!

I recently published a project that allows PHP to obtain and interact with a real Bash shell (as root if requested), it solves the limitations of exec() and shell_exec(). Get it here: https://github.com/merlinthemagic/MTS
After downloading you would simply use the following code:
$shell = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);
$return1 = $shell->exeCmd('/sys/class/gpio/export');
$return2 = $shell->exeCmd('/sys/class/gpio/gpio17/direction');
//the return will be a string containing the return of the command
echo $return1;
echo $return2;
In terms of security it is far better than running apache as root, or the wide open sudo permissions in your question. But letting PHP anywhere near root is always tricky.
The project i built achieves a root bash shell in one of 2 ways:
1) You allow apache the right to sudo python.
OR
2) You pass root credentials to the object every time you need a shell with root setup.
Pick your poison. :) Read the documentation.

PHP executing external commands - how to when username and password required

Okay so I want to change the file mode of a directory to 777 so I use the line
exec('chmod -R 777' . $dir);
where $dir is the directory path of the directory I wanna change
it doesn't seem to work but I don't get an error for it, also if the user I was executing the script from was a sudo user so I have to enter the password after I enter the command, how would I do this? Would it be something like exec('chmod -R 777' . $dir\n 'password'); ?

Information I get from this site
Execute system commands via PHP
Many a times we need to execute system commands on a Linux system – to delete a directory, or restart a service. However, since Apache does not run with root privileges, it is nearly impossible to use PHP’s exec(), system() or passthru() functions to achieve that.
The solution to this is very simple, specially on Ubuntu. The Apache’s user www-data need to be granted privileges to execute certain applications using sudo.
1.Run the command sudo visudo
2.At the end of the file, add the following
www-data ALL=NOPASSWD: /sbin/iptables, /usr/bin/du
This is assuming that you wish to run iptables and du using super user (root) privileges. However, if you wish to run every application using super user privileges, then add the following instead of what’s above
www-data ALL=NOPASSWD: ALL
3.That’s it, now use exec() in the following manner inside your .php script
exec ("sudo iptables -P FORWARD ACCEPT");

Executing a shell script from a PHP script

I want to execute a Bash script present on the system from a PHP script. I have two scripts present on the system. One of them is a PHP script called client.php present at /var/www/html and the other is a Bash script called testscript present at /home/testuser.
My client.php script looks like
<?php
$message=shell_exec("/home/testuser/testscript 2>&1");
print_r($message);
?>
My testscript looks like
#!/bin/bash
echo "Testscript run succesful"
When i do the following on terminal
php client.php
I get the following output on terminal
Testscript run successful
But when i open the page at
http://serverdomain/client.php
I get the following output
sh: /home/testuser/testscript: Permission denied
I get this error even after I did chmod +x testscript.
How do I get it to work from the browser? Please help.

I would have a directory somewhere called scripts under the WWW folder so that it's not reachable from the web but is reachable by PHP.
e.g. /var/www/scripts/testscript
Make sure the user/group for your testscript is the same as your webfiles. For instance if your client.php is owned by apache:apache, change the bash script to the same user/group using chown. You can find out what your client.php and web files are owned by doing ls -al.
Then run
<?php
$message=shell_exec("/var/www/scripts/testscript 2>&1");
print_r($message);
?>
EDIT:
If you really want to run a file as root from a webserver you can try this binary wrapper below. Check out this solution for the same thing you want to do.
Execute root commands via PHP

Without really knowing the complexity of the setup, I like the sudo route.
First, you must configure sudo to permit your webserver to sudo run the given command as root. Then, you need to have the script that the webserver shell_exec's(testscript) run the command with sudo.
For A Debian box with Apache and sudo:
Configure sudo:
As root, run the following to edit a new/dedicated configuration file for sudo:
visudo -f /etc/sudoers.d/Webserver
(or whatever you want to call your file in /etc/sudoers.d/)
Add the following to the file:
www-data ALL = (root) NOPASSWD: <executable_file_path>
where <executable_file_path> is the command that you need to be able to run as root with the full path in its name(say /bin/chown for the chown executable). If the executable will be run with the same arguments every time, you can add its arguments right after the executable file's name to further restrict its use.
For example, say we always want to copy the same file in the /root/ directory, we would write the following:
www-data ALL = (root) NOPASSWD: /bin/cp /root/test1 /root/test2
Modify the script(testscript):
Edit your script such that sudo appears before the command that requires root privileges(say sudo /bin/chown ... or sudo /bin/cp /root/test1 /root/test2). Make sure that the arguments specified in the sudo configuration file exactly match the arguments used with the executable in this file.
So, for our example above, we would have the following in the script:
sudo /bin/cp /root/test1 /root/test2
If you are still getting permission denied, the script file and it's parent directories' permissions may not allow the webserver to execute the script itself.
Thus, you need to move the script to a more appropriate directory and/or change the script and parent directory's permissions to allow execution by www-data(user or group), which is beyond the scope of this tutorial.
Keep in mind:
When configuring sudo, the objective is to permit the command in it's most restricted form. For example, instead of permitting the general use of the cp command, you only allow the cp command if the arguments are, say, /root/test1 /root/test2. This means that cp's arguments(and cp's functionality cannot be altered).

I was struggling with this exact issue for three days. I had set permissions on the script to 755. I had been calling my script as follows.
<?php
$outcome = shell_exec('/tmp/clearUp.sh');
echo $outcome;
?>
My script was as follows.
#!bin/bash
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
I was getting no output or feedback. The change I made to get the script to run was to add a cd to tmp inside the script:
#!bin/bash
cd /tmp;
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
This was more by luck than judgement but it is now working perfectly. I hope this helps.

It's a simple problem. When you are running from terminal, you are running the php file from terminal as a privileged user. When you go to the php from your web browser, the php script is being run as the web server user which does not have permissions to execute files in your home directory. In Ubuntu, the www-data user is the apache web server user. If you're on ubuntu you would have to do the following:
chown yourusername:www-data /home/testuser/testscript
chmod g+x /home/testuser/testscript
what the above does is transfers user ownership of the file to you, and gives the webserver group ownership of it. the next command gives the group executable permission to the file. Now the next time you go ahead and do it from the browser, it should work.