I found my crontab scripts do not work as expected because they cannot write on /var/log. I tried executing command:
sudo /usr/bin/php /var/www/html/iPhone/inarrivo/php/rome/process.php >>
/var/log/romeLoading.log 2>&1
by hand and got:
-bash: /var/log/romeLoading.log: Permission Denied
/var/log permissions are:
drwxr-xr-x. 13 root root 4096 15 ago 16.20 .
If I conversely execute:
sudo touch /var/log/loadRome.log
I get no error whatsoever.
What could be the issue?
Please note Apache is not at stake: I am calling those scripts from the root crontab and from the shell with sudo as a test.
best guess: the user running the shell doesn't have write access to /var/log/romeLoading.log , and the stdout redirect (>>) is redirected by the shell user, not the sudo user, thus the access denied on >> , but not on sudo touch. maybe try
sudo sh -c '/usr/bin/php /var/www/html/iPhone/inarrivo/php/rome/process.php >> /var/log/romeLoading.log 2>&1'
that should run sh as root, and have the root-sh do the redirect with root permissions. untested though.
and next time you want to post permissions for debugging, post the namei -l path/to/file output, it gives much more info than stating the single file itself when debugging permission issues, as the issue can be higher up than the file itself, like the folder its in, or the folder that the folder it's in, is in, etc~ and namei gives you, recursively, detailed permission information on all of them.
It's a permissions issue as the log file belongs to root user and apache runs off www-data. Try chown www-data:www-data /var/log/loadRome.log.
Related
this is for Amazon EC2 linux.
I have a PHP script that runs a shell script.
So inside the shell script is a command to run node.
When I run the PHP script from the command line, the node executes.
When I run the PHP script from the browser, I get this message in the apache log:
/home/ec2-user/.nvm/versions/node/v8.11.3/bin/node: Permission denied
This is after doing a chmod 777 on /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
I also did chown ec2-user:apache /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
Also, here is the result of:
$ ls -alrt /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
-rwxrwxrwx 1 ec2-user apache 34800111 Jun 12 22:40 /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
Everyone has full permissions on it, how can I be getting a "Permission denied" error?
So again this works perfectly if I run the PHP script from the command line.
Ok this is a total no-no but it's temporarily a hack.
Since this is running on my AWS EC2 instance, I simply restrict everything via the security group and only allow the I.P. addresses I allow, so it's safe for me.
You have to add the permissions to the apache group in the sudoers file.
So, first:
$ sudo visudo
And then add:
%apache ALL = (ALL) NOPASSWD: ALL
To the end of the file. Again, it's bad, it's a hack, but it's a current workaround and I restrict access to the EC2 instance via the I.P. addresses in the security group anyways.
If you want to run this then you can go to /etc/sudoers and make apache as your sudo user and it will have root privileges to run the file in the browser.
The changes you will have to make are :-
First find the line
root ALL=(ALL) ALL
and then add the line below it
apache ALL=(ALL) NOPASSWD: ALL
I'd like to execute my script bash with php. My script is logging me into my server then creating me my account.
SCRIPT="useradd martinouh --home /home/martinouh --create-home; echo martinouh:$pass | chpasswd; usermod -s /bin/bash martinouh; usermod -aG sudo martinouh; usermod -aG docker martinouh;"
sshpass -p $pass ssh -o StrictHostKeyChecking=no root#$ip "${SCRIPT}"
sshpass -p $pass ssh-copy-id -i /home/Martinouh/.ssh/id_rsa.pub martinouh#$ip
But when i run it via shell_exec(); It does execute the script but not the part with sshpass.
What should I do in order to execute it ?
At the moment, just to test shell_exec();. I'm executing my script by calling localhost/script.php which contains the following
<?php
$output = shell_exec('bash select.sh');
echo $output;
?>
I'm getting this in the error_log :
Failed to change pseudo terminal's permission: Permission denied
Failed to change pseudo terminal's permission: Permission denied
Failed to change pseudo terminal's permission: Permission denied
Failed to change pseudo terminal's permission: Permission denied
Maybe it has to do with selinux and apache permission ?
Since the error messages refer to the pseudo terminal, try to disable this with -T. Most functionality that require pseudo terminal functionality is interactive and would not be appliccable in such a context anyway.
Ok now that i've disabled SELinux, it does execute the part that log then add an user ...
But it won't do the
sshpass -p $pass ssh-copy-id -i /home/Martinouh/.ssh/id_rsa.pub martinouh#$ip
I'm getting this on my webpage
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '/home/Martinouh/.ssh/id_rsa.pub': Permission denied
So I tried to move the key and chown -R apache:apache on it, what I get was this on my webpage :
/usr/bin/ssh-copy-id: ERROR: failed to open ID file './id_rsa': No such file or directory (to install the contents of 'id_rsa.pub' anyway, look at the -f option)
I tried with the -f but it doesn't change the
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '/.pub': No such file or directory
edit :
It is now working with SELinux disabled and to correct the ssh-copy-id, I had to copy the id_rsa.pub AND the id_rsa to a directory and chown -R apache:apache both of them. The private key was needed otherwise i coudn't copy my id_rsa.pub to the server (even with -f flag).
Now how should I correct this that we know what make it works (even tho it is not the proper way ?)
Give apache the right to access ~/.ssh/ ? (for ssh-copy-id)
Give apache the right to execute script / shell ? (SELinux)
I want to execute a Bash script present on the system from a PHP script. I have two scripts present on the system. One of them is a PHP script called client.php present at /var/www/html and the other is a Bash script called testscript present at /home/testuser.
My client.php script looks like
<?php
$message=shell_exec("/home/testuser/testscript 2>&1");
print_r($message);
?>
My testscript looks like
#!/bin/bash
echo "Testscript run succesful"
When i do the following on terminal
php client.php
I get the following output on terminal
Testscript run successful
But when i open the page at
http://serverdomain/client.php
I get the following output
sh: /home/testuser/testscript: Permission denied
I get this error even after I did chmod +x testscript.
How do I get it to work from the browser? Please help.
I would have a directory somewhere called scripts under the WWW folder so that it's not reachable from the web but is reachable by PHP.
e.g. /var/www/scripts/testscript
Make sure the user/group for your testscript is the same as your webfiles. For instance if your client.php is owned by apache:apache, change the bash script to the same user/group using chown. You can find out what your client.php and web files are owned by doing ls -al.
Then run
<?php
$message=shell_exec("/var/www/scripts/testscript 2>&1");
print_r($message);
?>
EDIT:
If you really want to run a file as root from a webserver you can try this binary wrapper below. Check out this solution for the same thing you want to do.
Execute root commands via PHP
Without really knowing the complexity of the setup, I like the sudo route.
First, you must configure sudo to permit your webserver to sudo run the given command as root. Then, you need to have the script that the webserver shell_exec's(testscript) run the command with sudo.
For A Debian box with Apache and sudo:
Configure sudo:
As root, run the following to edit a new/dedicated configuration file for sudo:
visudo -f /etc/sudoers.d/Webserver
(or whatever you want to call your file in /etc/sudoers.d/)
Add the following to the file:
www-data ALL = (root) NOPASSWD: <executable_file_path>
where <executable_file_path> is the command that you need to be able to run as root with the full path in its name(say /bin/chown for the chown executable). If the executable will be run with the same arguments every time, you can add its arguments right after the executable file's name to further restrict its use.
For example, say we always want to copy the same file in the /root/ directory, we would write the following:
www-data ALL = (root) NOPASSWD: /bin/cp /root/test1 /root/test2
Modify the script(testscript):
Edit your script such that sudo appears before the command that requires root privileges(say sudo /bin/chown ... or sudo /bin/cp /root/test1 /root/test2). Make sure that the arguments specified in the sudo configuration file exactly match the arguments used with the executable in this file.
So, for our example above, we would have the following in the script:
sudo /bin/cp /root/test1 /root/test2
If you are still getting permission denied, the script file and it's parent directories' permissions may not allow the webserver to execute the script itself.
Thus, you need to move the script to a more appropriate directory and/or change the script and parent directory's permissions to allow execution by www-data(user or group), which is beyond the scope of this tutorial.
Keep in mind:
When configuring sudo, the objective is to permit the command in it's most restricted form. For example, instead of permitting the general use of the cp command, you only allow the cp command if the arguments are, say, /root/test1 /root/test2. This means that cp's arguments(and cp's functionality cannot be altered).
I was struggling with this exact issue for three days. I had set permissions on the script to 755. I had been calling my script as follows.
<?php
$outcome = shell_exec('/tmp/clearUp.sh');
echo $outcome;
?>
My script was as follows.
#!bin/bash
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
I was getting no output or feedback. The change I made to get the script to run was to add a cd to tmp inside the script:
#!bin/bash
cd /tmp;
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
This was more by luck than judgement but it is now working perfectly. I hope this helps.
It's a simple problem. When you are running from terminal, you are running the php file from terminal as a privileged user. When you go to the php from your web browser, the php script is being run as the web server user which does not have permissions to execute files in your home directory. In Ubuntu, the www-data user is the apache web server user. If you're on ubuntu you would have to do the following:
chown yourusername:www-data /home/testuser/testscript
chmod g+x /home/testuser/testscript
what the above does is transfers user ownership of the file to you, and gives the webserver group ownership of it. the next command gives the group executable permission to the file. Now the next time you go ahead and do it from the browser, it should work.
I want to execute a Bash script present on the system from a PHP script. I have two scripts present on the system. One of them is a PHP script called client.php present at /var/www/html and the other is a Bash script called testscript present at /home/testuser.
My client.php script looks like
<?php
$message=shell_exec("/home/testuser/testscript 2>&1");
print_r($message);
?>
My testscript looks like
#!/bin/bash
echo "Testscript run succesful"
When i do the following on terminal
php client.php
I get the following output on terminal
Testscript run successful
But when i open the page at
http://serverdomain/client.php
I get the following output
sh: /home/testuser/testscript: Permission denied
I get this error even after I did chmod +x testscript.
How do I get it to work from the browser? Please help.
I would have a directory somewhere called scripts under the WWW folder so that it's not reachable from the web but is reachable by PHP.
e.g. /var/www/scripts/testscript
Make sure the user/group for your testscript is the same as your webfiles. For instance if your client.php is owned by apache:apache, change the bash script to the same user/group using chown. You can find out what your client.php and web files are owned by doing ls -al.
Then run
<?php
$message=shell_exec("/var/www/scripts/testscript 2>&1");
print_r($message);
?>
EDIT:
If you really want to run a file as root from a webserver you can try this binary wrapper below. Check out this solution for the same thing you want to do.
Execute root commands via PHP
Without really knowing the complexity of the setup, I like the sudo route.
First, you must configure sudo to permit your webserver to sudo run the given command as root. Then, you need to have the script that the webserver shell_exec's(testscript) run the command with sudo.
For A Debian box with Apache and sudo:
Configure sudo:
As root, run the following to edit a new/dedicated configuration file for sudo:
visudo -f /etc/sudoers.d/Webserver
(or whatever you want to call your file in /etc/sudoers.d/)
Add the following to the file:
www-data ALL = (root) NOPASSWD: <executable_file_path>
where <executable_file_path> is the command that you need to be able to run as root with the full path in its name(say /bin/chown for the chown executable). If the executable will be run with the same arguments every time, you can add its arguments right after the executable file's name to further restrict its use.
For example, say we always want to copy the same file in the /root/ directory, we would write the following:
www-data ALL = (root) NOPASSWD: /bin/cp /root/test1 /root/test2
Modify the script(testscript):
Edit your script such that sudo appears before the command that requires root privileges(say sudo /bin/chown ... or sudo /bin/cp /root/test1 /root/test2). Make sure that the arguments specified in the sudo configuration file exactly match the arguments used with the executable in this file.
So, for our example above, we would have the following in the script:
sudo /bin/cp /root/test1 /root/test2
If you are still getting permission denied, the script file and it's parent directories' permissions may not allow the webserver to execute the script itself.
Thus, you need to move the script to a more appropriate directory and/or change the script and parent directory's permissions to allow execution by www-data(user or group), which is beyond the scope of this tutorial.
Keep in mind:
When configuring sudo, the objective is to permit the command in it's most restricted form. For example, instead of permitting the general use of the cp command, you only allow the cp command if the arguments are, say, /root/test1 /root/test2. This means that cp's arguments(and cp's functionality cannot be altered).
I was struggling with this exact issue for three days. I had set permissions on the script to 755. I had been calling my script as follows.
<?php
$outcome = shell_exec('/tmp/clearUp.sh');
echo $outcome;
?>
My script was as follows.
#!bin/bash
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
I was getting no output or feedback. The change I made to get the script to run was to add a cd to tmp inside the script:
#!bin/bash
cd /tmp;
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
This was more by luck than judgement but it is now working perfectly. I hope this helps.
It's a simple problem. When you are running from terminal, you are running the php file from terminal as a privileged user. When you go to the php from your web browser, the php script is being run as the web server user which does not have permissions to execute files in your home directory. In Ubuntu, the www-data user is the apache web server user. If you're on ubuntu you would have to do the following:
chown yourusername:www-data /home/testuser/testscript
chmod g+x /home/testuser/testscript
what the above does is transfers user ownership of the file to you, and gives the webserver group ownership of it. the next command gives the group executable permission to the file. Now the next time you go ahead and do it from the browser, it should work.
I have a function in PHP language to create an xml file when requested.
if(($file= fopen("./include/catalogo.xml", "w"))==false){echo 'non creo il file'; return false;}
"catalogo.xml" can't be created, permission denied. I know I should try to change permissions, but how can do this if the file doesn't exist? Or, are there things that I ignored?
I think you might be ignoring the permissions of the directory (./include).
I'm assuming you are running this PHP via a web-server and on Linux (like Apache for example) - in which case the user account that is trying to create the file will be 'apache' or 'www-data' (or whatever user your webserver is running under).
On your server - have a look at the permissions of ./include - you need to do one of two things:
a) make ./include world writable (so the 'apache' user can now create a file inside of it).
b) change the owner or group of the ./include to 'apache' so it can create a file inside of it.
Your PHP is fine - it's the permissions of the folder it is trying to create the file inside of that is not.
You have to change the ownership of the directory "include" and set it to the web server's user and set the permission to a reasonable value:
$ sudo chow www-data include
$ sudo chmod 755 include
If you don't know which user your web-server is running by you can open the include dir permissions world-wide:
$ sudo chmod 1777 include
after create the creation of catalogo.xml you check the include diretory:
$ sudo ls -al include
-rwxr-xr-x 1 http web 4096 May 5 15:37 catalogo-xml
Now you can change the ownership of the directory "include" and set it to the web server's user (http) and reset the permission to a reasonable value:
$ sudo chow http include
$ sudo chmod 755 include
See also the manual of chmod, chown and ls:
$ man chmod
$ man chown
$ man ls
If you use the terminal and go to the parent of folder your file will be created in, which is the parent of the include folder and type in the command:
chmod 777 include
This should change the permissions of this folder so you won't receive the permission denied error anymore. If you do try this command:
chmod -R 777 include