I created multiple vhost and needed to reload the apache to make the vhost available, however shell_exec('service apache2 reload') didn't seem to work inside the container.
From my understanding is php-apache (link) container runs under www-data user therefore it doesn't have permission to trigger the sudo command. So is there anyway to shell_exec a sudo command.
FYI guys, this question is regarding to docker container environment not a normal Linux. Basically I can do all these commands under normal apache in the host machine, however I want to experiment it in docker container. Ultimately, I would try all the other sudo commands such as a2ensite, a2dissite, etc...
Any thought? Thanks.
This is very highly discouraged, regarding security.
If you know what you are doing, usage in a locale private network, filtering user data, you can add php, or a full user as root to the sudoers file with the tool visudo.
sudo visudo
This way php won't ask for passwords at all.
Your scripts needs then to be called with sudo, so it can contain shell_exec sudo commands
sudo ./script.php
Adding a full user is also more than highly insecured, but from my view it is also very good for dev/hack and learning. It's good to know how this works and play around , to later focus on security.
It permit to create scratch system applications with powerful powers and their web interface.
In the sudoers file, add:
www-data ALL=(ALL) NOPASSWD: DNSRELOAD
This is highly used in private research environment.
See the sudoers manual: https://www.sudo.ws/man/sudoers.man.html
A very similar question: https://unix.stackexchange.com/questions/110931/using-sudoers-to-allow-php-to-run-command
No, you can't to this directly, if your script is running under Apache. Your script hasn't enough rights to make such a command.
Anyway, I think that it's a very dangerous idea to give to your script the rights to use sudo, through Apache.
But, you can let an information in your database or a server's file. And then, let a script to reload Apache via a superuser's crontab, by example, if the information is found.
Example code :
<?php
if ($something_append) {
// let an information in the server.
touch('/srv/have_to_reload_apache') ;
}
?>
The superuser's cron : (could be a sh script or whatever)
sudo crontab -e
write :
*/5 * * * * php /path/to/sudo_script.php
This will run the script every 5 minutes.
The script could be :
<?php
if (file_exists('/srv/have_to_reload_apache')) {
shell_exec('service apache2 reload'); // Reload apache
unlink('/srv/have_to_reload_apache'); // Remove information
}
?>
Related
I have a shell script, which when executed, makes some folders and copies files into them. I also have a node.js "program", which does exactly what the shell script does.
When I call the shell script using PHP's shell_exec, I get a permission error, which basically says that the shell script does not have privileges to make folders. I did some googling and turns out I'd have to setup passwordless sudo and who knows what else trickery to fix this.
However, I made an exact same thing with node and when I run the node "program" by calling it with shell_exec just like before and it seems that this node "program" has the rights to do whatever.
What is the reason behind this? Why do "programs" have privileges when ran, but shell scripts do not? Is this a legitimate way to do, for example, file system operations (calling something made with node.js from PHP)? Because it is annoying to fiddle with the permission if I try to do the same operations with PHP.
Php was run by apache or something similar and is run under user www-data or http or something like that. Your node server probably runs under piwwoli user. piwwoli can create a directory under /home/piwwoli, but www-data can't.
Both programs and shellscripts have privileges when they run, the question is who is running them.
You can create a directory that is writeable both by www-data and piwwoli:
mkdir /path/to/dir
chmod o+w,g+w /path/to/dir
chown piwwoli.www-data /path/to/dir # maybe you'll need sudo for this to work
I've recently set up my Apache2 Server on my Linux machine. Now I've wanted to execute a PHP script (index.php), which runs a shell script (foo.sh), which creates a folder in my home directory, but the directory was not created.
These are the original two files:
foo.sh:
#!bin/bash
mkdir /home/lorenzo/testDir
index.php:
<?php
exec('sh test.sh');
?>
So, I thought maybe the problem occurs because of privileges or something, and indeed after I changed the files to that:
foo.sh:
#!bin/bash
echo "Hello world"
index.php:
<?php
$temp=exec('sh test.sh');
echo $temp;
?>
I saw the output Hello World on my website.
So the PHP script is executed and it runs the shell script. But why can't the shell script execute the mkdir command?
This indeed is most likely a permission issue.
You first have to figure out which user apache runs at. This is usually www-data (on Debian-ish Linuxes, such as Ubuntu) or apache (on RedHat-ish Linuxes) or something along the lines. A ps -eF | grep apache will reveal the user.
After you figured that out, make sure that the apache user has the appropriate rights in your home directory. You can either add it to your user group (using usermod -a -G ... and then chmod g+w ~) or allow writing for all users (chmod o+w ~).
But, both of this is a bad idea. Your php script (or anything else running as the apache user) can be broken into and cracked, leaving you home directory open for malicious attackers to modify and rm -rf.
In addition, if you’re running a RedHat-ish Linux, you will run into SELinux which by defaut prevents apache from accessing user directories at all. In that case, you also have to set setsebool -P httpd_enable_homedirs on.
Instead, I would recommend that you use a different directory and give your user full access to that. Something along the lines of /var/www/testDir with the apache as owner and group, and adding yourself to the apache user group is probably a sane idea.
It looks like a permission issue. Make sure that Apache has write permission to that directory
You may have permission issues on the server. Try to use chmod -R 775 <dirname>(or 777) in your ssh command line. You can do this in php code with chmod() too but I don't suggest you because it would run it everytime the php code runs and changing it more times is pointless. It can output to the screen but I bet the directory the script wants to make file has permission 755. Try to check it.
I have a couple of bash scripts on a Centos box which I use to do basic server admin stuff like restart services, etc. I run these as a standard user who is also the scripts' owner.
I tried to run these using shell_exec() in PHP, with the apache user, but it simply doesn't work - I'm guessing it doesn't have enough permissions (even with 775 and being in the correct group!) to run everything I want it to.
I've tried editing the sudoers file giving apache permission to run the script calls but it still doesn't work and has no error messages that I can see.
Any thoughts? How can one trigger a script from a web page which requires a different user to run?
check under which user is running apache ( for debian it is www-data)
add www-data in sudoers list with permission to execute files that you like
check which shell has www-data user in /etc/passwd (you will need to give valid shell)
run script with /bin/bash -x (it will output for sure)
Make sure safe mode is off. Also verify the user is the one you expect:
<?php echo exec('whoami'); ?>
I'm setting up a new server and of course I didn't document every change I did to the last one but I'm getting there.
I have a weird issue, I'm trying to do a simple call in php:
exec('service httpd reload');
And it's not doing anything. I can execute other commands such as tar, I did check php.ini for disabled_functions and it's empty. The username php is using for creating files/folders is "apache" as well.
Does anyone know any other areas I can check? This is a fresh install of php 5.2.x so I'm sure there is a security setting in apache or something blocking this.
Well your apache is most probably running under a normal user account (www-data or apache - it depends on your distribution), but to restart apache (or any other service) you have to be root.
You could use sudo to elevate your privileges.
You can't restart Apache as a normal user, but you should never leave your root password written in a file. If you really have to run that command from php, there's an alternative method.
You can allow certain commands to be run as root by a certain user without specifying a password. To do this you must edit the /etc/sudoers file with visudo and add the tag NOPASSWD to the command you want to run. Here is the example from the man page:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
This would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without authenticating himself.
i try to config apache & php for my project to create web-based for file config management to open vpn in bsd unix, but i can't run as superuser to start or stop service
you can use a script with a setuid to do the actual command.
ie some bash script like this would do it
#!/bin/sh
/etc/init.d/openvpn $1
you shoud chmod +s yourscript.sh and use a system('yourscript.sh start') in PHP.
Note: You have to be really careful with that because it could make big security holes
Do you have sudo access on the machine? That is, can you prefix your start/stop commands with "sudo" to run them as a superuser?
If not, I think you're out of luck. But there's almost no information here to work with.