I am trying to run a shell script from a PHP script.
PHP code :
<? php
$sss = escapeshellarg('virtualbox');
$result = shell_exec("/home/hani/Desktop/launchscript.sh '$sss' 2>&1 ");
echo "<pre>$result</pre>";
echo "<br />";
echo (shell_exec('whoami'));
?>
my shell script :
#!/bin/bash
sss=$1
echo 'the sudo password' |sudo -S service $1 restart
After I run the PHP code in a web server (Xampp), I got this output :
[sudo] password for daemon: Sorry, try again.
[sudo] password for daemon:
sudo: 1 incorrect password attempt
daemon
Although, I haven't set any password for the daemon user.
And after I checked the current user running the PHP code I found it is daemon.
After many researches here and in the net, I found that daemon can't run sudo commands.
I also found that I can fix this by editing the sudoers file and giving permissions to the daemon user to run sudo commands. However this is not a secured solution.
so my question is : How to run that script via the PHP code but not as a daemon?
PS : I tried this in order to change the current user running the PHP file :
$result = shell_exec(" sudo -u hani /home/hani/Desktop/launchscript.sh '$sss' 2>&1 ");
But I got this output in the browser :
sudo: no tty present and no askpass program specified
and the user remains daemon.
I am using Xampp in Ubuntu 16.04
Another information, I run this command in the terminal to know the owner of the 'httpd' service :
ps -ef | egrep '(httpd)' | grep -v `whoami` | grep -v root | head -n1 | awk '{print $1}'
the output is : daemon
I think i found a solution ( but still not sure about the security issues).
It only needs to change the default user (owner) and group of the httpd service. This can be done by editing the httpd.conf located in /opt/lampp/etc (if you are using Xampp). The default user, as I mentioned in the question, is daemon. However it has not permissions to run sudo commands, so it only needs to change that user by another one who has the permissions to run sudo commands (obviously the root user or your deafult user in Ubuntu).
a better way is give daemon access to run the one particular script you want
edit the sudoers file
sudo visudo
add in the following line (change the path to the script you want to run)
daemon ALL=(ALL) NOPASSWD: /home/ubuntu/scripts/script.sh
Related
I get this error when running a program from www-data.
Error
sudo: no tty present and no askpass program specified
But I have added the following to sudo visudo
www-data ALL = NOPASSWD: /var/bin/poppler-0.65.0/build/utils/pdfimages
The path /var/bin/poppler-0.65.0/build/utils/pdfimages is correct.. I have tested it from a terminal.
Command
sudo /var/bin/poppler-0.65.0/build/utils/pdfimages -list
data/scan_voucher/17.pdf
As you said that already setting up sudo visudo correctly, I will first take a look at Tarun Lalwani links, specially the part about disable requiring tty in your sudoers :
Defaults !requiretty
Try to do the same command but with flag -S actived (sudo -S yourcommand)
The -S (stdin) option causes sudo to read the password from the
standard input instead of the terminal device.
If it doesn't work for you, you can try a trick that seems to work like this one (from here):
echo '' | sudo -S your_command
That will send an empty password to first prompt to enter password.
How are you executing this from PHP? Try with:
#exec("sudo /var/bin/poppler-0.65.0/build/utils/pdfimages -list data/scan_voucher/17.pdf");
Hope that it helps!
If I am executing multiple commands like this
'sudo -s && cd /apps/10.0.10.200/wso2am-1.7.0/repository/logs && tail wso2carbon.log'
But when i'm login to the server with my user, i have to get the root permission by executing following command
sudo -s
And then I have to reenter the password also.
So my issue is when I execute above command, how can I pass my password.Because I have to execute the command and wait until it asks to enter the password.
please guide me on that to solve.
this is my code.
include('Net/SSH2.php');
$ssh = new Net_SSH2('10.0.10.200');
$ssh->login('xxxxx', 'xxxx') or die("Login failed");
echo $ssh->exec('sudo -s && cd /apps/10.0.10.200/wso2am-1.7.0/repository/logs && tail wso2carbon.log');
This is a very bad idea as long as you will need to keep the user's password in your code which represent a non-negligible security issue (full remote access to the ssh server). You should have a special account on the ssh server you are connecting to that would only allow access to the log file you want to show.
However if you take a look at this superuser question or run sudo --help. You'll see that you can use sudo -S to get the sudo command to read the password from stdin.
so this should do the trick:
$echo <password> | sudo -S <command>
using php:
echo $ssh->exec('echo '.$password.'| sudo -S tail /apps/10.0.10.200/wso2am-1.7.0/repository/logs/wso2carbon.log');
Go to your server and provide sudoers permission without password to your user.
This is highly insecure but you can edit you /etc/sudoers by using command sudo visudo
This command will open the /etc/sudoers file in the terminal now you can add you user entry in it using below line for executing sudoers command without password :
<user_name> ALL=NOPASSWD:ALL
Replace user_name with your user name in above line.
If your syntax goes wrong you can damage your sudoers file and hence won't be able to execute the sudo command.
If that happens use this command to rebuild your sudo file:
pkexec visudo
Then enter the sudo password.
I am running CentOS 6, as httpd is executed as user 'apache'. For security reasons, I want to use sudo to be executed via exec as user 'aq':
<?php exec("/usr/bin/sudo -u aq somescript.sh",$output,$return_val);?>
With visudo I have added the following line:
apache ALL = (aq) NOPASSWD: ALL
Furthermore I temporary gave apache as login shell (/bin/bash), to be able to test
/usr/bin/sudo -u aq somescript.sh
directly which worked.
php exec fails as $return_val delivers a '1' if sudo is invoked.
Comment out this line from /etc/sudoers
Defaults requiretty
I'v tested your case in few ways ant this one gives me success.
Under a controlled environment, I will try to execute some calls to shell, some of such commands will include sudo privileges.
I tried this php code line:
$out = shell_exec('sudo -u root -S ls < /home/user/.y/.qqz');
Where at last .qqz is a file containing actual password.
However apache log shows this output:
[sudo] password for www-data:
Like the password file is not being passed to the command stdi?
I already made www-data part of the sudo group. How can I get my objective done?
Well, i have this program i need to run via either functions however it is located on my dekstop (this ubuntu 11.04).
I moved it to /home/Username, but no dice.
I run
$blah = exec('sudo | echo mypassword | /home/server1/program commandhere', $test);
var_dump($test);
var_dump($blah); ?>
The output is nothing.
I was told if i wanted to run it via sudo i needed to add the Apache user which is www-data to the sudoers list, i added it, but no luck again.
Basically, i've tried A LOT of things, it just wont run. Why?
EDIT:
If i paste that into the terminal it works great, just not with exec,system nor passtrhu.
Use echo mypassword | sudo -S instead.
It also depends on which user has sudo privileges. If you want to run this from the apache process, you need to give the apache user sudo privileges as well.
Also, just to clarify, the command should be:
echo mypassword | sudo -S /home/server1/program commandhere
Look into your security log. Not sure where this is on Ubuntu, possibly /var/log/secure or /var/log/messages. I'm betting that you find a message there similar to sudo requires a TTY, or sorry, you must have a TTY to run sudo indicating that sudo is configured not to work without a real interactive shell. That is, sudo won't permit you to use it in a script or to be called by an external program.
I recently dealt with this issue myself while trying to bind a Gnome keyboard shortcut to a sudo command.
If this is the case, you'll need to comment out the following line in /etc/sudoers
#Defaults requiretty