I've a PHP exec command which starts a bash script in Linux Centos 7.2
#!/bin/sh
# \
mkdir /var/www/html/folder1/$1
useradd -g usergroup -d /var/www/html/folder1/$1 $1
The sudoers is configured this way. 'apache' is the Apache User and Group in my installation:
apache ALL=(ALL) ALL
apache ALL=(ALL) NOPASSWD: /usr/sbin/useradd
The mkdir command works as expected.
But the useradd command retrieves a 'permission denied' error even if I explicitly decleared in sudoers that the group/user apache has permission to execute useradd.
So How to solve this ? How to create a user which belongs to an already defined usergroup without getting 'permission denied' ?
I ended up setting full permissions to the useradd file this way:
chmod 7777 /usr/sbin/useradd
I don't know if this is safe enough anyway it worked.
I continue after this getting a secondary error like:
nscd: Only root is allowed to use this option
It is related to the user cache cleaning failed by the useradd module.
But at least the user at this stage is correctly added.
No idea at the moment if the failed cache flush could cause some other problems in the future.
EDIT: I had also to 1) do "chown root:root myscript.php" for my php script. 2) to put the bash script in /usr/sbin 3) make the bash script executable with chmod +x 4) execute it in php with : "sudo bashscript.sh" 4) and/or to add the /usr/sbin directory in sudoers security section
Related
I am using ubuntu server 20.04 LTS, where I have multiple shell files, using php from apache I need to run multiple shell files from a browser but need to run as root.
I have tried the command shell_exec and added sudoers (www-data) and none works, which I can put in the code to enter as root and be able to execute the shell script.
<?php
$code = shell_exec('echo "passwd" | sudo -u root -S sh /home/user/name.sh');
echo "<pre>$code</pre>";
?>
Because your are executing this script as www-data and www-data doesn't have the required privilege to execute any sudo commands.
You can try the following steps.
Modify www-data in /etc/sudoers to be able to execute a script as the superuser. This is a sensitive file and you have to use visudo as the editor to make the changes.
$ sudo visudo -f /etc/sudoers
www-data ALL=(ALL) NOPASSWD: /home/user/name.sh
This will allow www-data to execute the script as the superuser without a password.
In your PHP code change the command in your shell_exec() as follows:
$code = shell_exec(sudo sh /home/user/name.sh');
Make sure your name.sh is set up with proper file modes to protect yourself.
I have below php script(test.php) in redhat linux.
<?php
shell_exec('touch /var/www/html/test.txt');
?>
If I run this script in command line (php test.php) ,it's working as expected.
But if I run test.php in browser(http://hostname/test.php) it's not creating file test.txt.
I tried edit sudo visudo www-data ALL=(ALL) NOPASSWD:ALL
Please help me on this!!
I guest it's because of permission, when you run in command line you run it as your user but when you run it via browser , it runs as web-service's user, so check the the permission of /var/www/html/ directory and set it's permission to 755 and change the owner to your web-service ( apache , apache2 etc you have as web serivce)
So
chown -R apache:apache /var/www/html/ (I'm not sure about your web-service, change it your webserice and it's group)
chmod -R 755 /var/www/html/
PHP will execute that just fine. But the system then does not find touch in the pathes it has to search.
Easiest, is to give the full path to touch. On my System using command whereis to find touch
$whereis touch
touch: /usr/bin/touch /bin/touch /usr/share/man/man1/touch.1.gz
So the script would be:
<?php
shell_exec('/usr/bin/touch /var/www/html/test.txt');
?>
I have created a file test.sh which looks like this:
#!/bin/sh
mkdir /testDir
If I run the script on the command line like: sudo /path/to/test.sh it successfully creates the directory.
I have added the sudo permissions like this in the visudo:
www-data ALL=NOPASSWD: /path/to/test.sh
and I am running the script like this in my .php file:
shell_exec('sh /path/to/test.sh');
But no directory is being created!
What am I doing wrong?!
Correct user for sudo permissions?
When I run shell_exec('whoami') on the php file I get:
www-data
Correct path to script from php?
I have tested the shell script by adding an echo statement like:
#!/bin/sh
mkdir /testDir
echo "hello"
And when I run the .php command like:
echo shell_exec('sh /path/to/test.sh');
the .php page returns
hello
I have also tried in the test.sh:
output=$( mkdir /testDir )
echo "$output"
but nothing is returned
Update
If I add this to the visudo:
www-data ALL=(ALL) NOPASSWD: ALL
it works!! But when I do:
www-data ALL=(ALL) NOPASSWD: /path/to/test.sh
It doesn't... As you know already know.
I have found a good way to debug by also changing the PHP to
echo shell_exec('sh /path/to/test.sh 2>&1 1> /dev/null');
and it returns the error:
sudo: no tty present and no askpass program specified
So I have tried:
adding Defaults:www-data !requiretty to the visudo but no luck!!!!
adding -t and -A to the sudo command... (ie sudo -t ...)
adding export SUDO_ASKPASS=/usr/lib/openssh/gnome-ssh-askpass before the sudo command and that then just leads to a whole new world of errors.
I have no idea about this requiretty as it does not seem to be anywhere on my ubuntu system. It is not mentioned once in the visudo?
I have spent too long on this!
Can someone tell me what the problems that I could come across if I did just do:
www-data ALL=(ALL) NOPASSWD: ALL
?
If
www-data ALL=(ALL) NOPASSWD: ALL
works, but
www-data ALL=(ALL) NOPASSWD: /path/to/test.sh
does not, then clearly the executed command does not match /path/to/test.sh.
And looking at your code, you are actually not invoking /path/to/test.sh:
sh /path/to/test.sh
You are invoking sh! With /path/to/test.sh as first argument, but still.
You either need to invoke the script directly (if that works):
shell_exec('/path/to/test.sh');
or update your sudoers file accordingly (note the full path of sh):
www-data ALL=(ALL) NOPASSWD: /bin/sh /path/to/test.sh
This worked for me: Added this to my ubuntu > sudoers file www-data ALL=/etc/path-to-my/script.sh
Hope this solves yours too
Some tips I would try:
try using exec instead of shell_exec
try disabling selinux if enabled
try to remove the /bin/sh prefix and use the shebang inside the script instead
become www-data (su www-data -s /bin/bash) and do your tests on the CLI
I hope this helps
My command is
echo root_password | sudo -u root -S executable_full_path arguments
The error message I get in the browser is
[sudo] password for www-data: Sorry,
try again.
From phpinfo(), safe mode is off and there are no disabled functions. Why isn't this working? The same command runs fine in the shell (bash). Escapeshellarg and escapeshellcmd don't make a difference.
EDIT: Simply being able to execute the command is not enough. The program that gets executed creates a socket in /tmp, and needs to assign it permissions. So I think I really need to be root for this, is that possible?
As Álvaro suggested, I'm putting my comment as answer. Matt, this would make it possible to run that command as root.
#Matt, don't do that /etc/sudoers (btw, you edit this file with the visudo command, never directly). That way you are making possible that any sudo whatever command run by your web application is run by root, possibiliting a lot of fun for an attacker if he founds a vulnerability in your application.
If you would like to run just ONE command as root without need for passwords, put this in /etc/sudoers (remember visudo command):
www-data ALL=(ALL) NOPASSWD: executable_full_path
Then you are only allowing to execute just this command as root. Now you should be able to do
sudo -u root executable_full_path arguments
without need to type in a password (and it will run as root). Also, this is the only command the user www-data may execute as root using sudo, so it should not be dangerous.
You're echoing the root password when you should be echoing the password for www-data.
Use this on your /ets/sudoers
Example for run gconftool-2 :
www-data ALL=NOPASSWD: /usr/bin/gconftool-2
www-data ALL=NOPASSWD: /usr/bin/sudo
www-data ALL=NOPASSWD: ALL
I have a shell_exec() command that accesses a directory above my document root so I need to use sudo "as root" to make it happen. (I understand the security issues and am putitng in measures to address it).
The issue is when I run the shell_exec() I get a "sudo: must be setuid root" error in my apache error_log file.
I thought the solution was to chmod 4750 the bash script that is called by my sheel_exec() but that does not do the job.
What exactly is "sudo: must be setuid root" trying to tell me and how might I resolve it?
Is the sudo executable itself setuid root? You may need to
chown root: /usr/bin/sudo
chmod u+s /usr/bin/sudo
Alternatively, skip sudo altogether. If your script is owned by root and has its own setuid bit set, then you don't need to use sudo to get root privileges. In fact, it can be more secure that way; you guarantee that your web user can only use that script, without having to edit sudoers. To do so, remove sudo from your shell_exec() line:
<?php
shell_exec('/path/to/your/command');
?>
Did you check the permissions for your script?
Who is owning the script?
Does the web user has the rights to sudo?
To fix this problem you need to chown and chmod sudo file as root as below.
chown root:root /usr/bin/sudo
chmod 4111 /usr/bin/sudo
chmod 0440 /etc/sudoers