I want to start a Python script from inside PHP code but i can't get the script to run with sudo rights. I'm running a LAMP installation with PHP 7.1 and the script needs to download and create temporary files.
I have tried putting the script in sudoers like this www-data ALL=(root) NOPASSWD: /var/www/html/smuggler/process-data.py and with some other variation of this i found online, but it didn't work. I also tried to set the rights to the python file itself using chmod but that didn't work either.
Everything i found online didn't work.
The only way it works is when i run it from the terminal as sudo.
I'd appreciate if someone could help me. Thanks.
Related
I have meshlab installed in my machine running Ubuntu 14.04 OS. I can access it from command line using meshlabserver command. But problem arises whenever I try to call it from a php script using the command
<?php
system('meshlabserver 2>&1');
?>
It shows the error meshlabserver: cannot connect to X server. After going through a few websites I did the following things:
I moved the meshlabserver executable from /usr/bin to /usr/local/bin and gave it executable permissions using
sudo chmod a+x meshlabserver
But when I ran the whoami command from my php script (calling the meshlabserver), it showed www-data. So I gave executable permissions for all users to the meshlabserver using
sudo chmod 777 /usr/local/bin/meshlabserver
But still it is showing the same meshlabserver: cannot connect to X server error. meshlabserver comamnd is working fine when ran from the command line.
I really need to call meshlab from the php script for my website. Thus any help would be highly appreciated. Thanks in advance.
It seems the php script can't access your display variable. If you logged in via ssh remember to tunnel your X-server via 'ssh -X ...' Your second option is to create a virtual frame buffer using Xvfb and redirect the display variable to it:
export DISPLAY=:100.0
Xvfb :100 &
Note the ampersand for the second command as Xvfb needs to be running in the background.
a combo of prior answers works for me:
ssh -X, as well as export DISPLAY=:0.0 (on remote)
On my Raspberry Pi Model B-Rev2 running Raspbian 3.10.25 I following the instructions on https://github.com/ronanguilloux/php-gpio to control the pins. But I simple cannot get it to work. According to instructions this should be the command in triggerMyScript.php:
exec('sudo -t /usr/bin/php ./myGpioScript');
But depending on content in myGpioScript I get errors in Apache log error.log saying stuff like command not found and No such file or directory.
I have also made additions to /etc/sudoers as instructed.
It works perfectly fine if I run php triggerMyScript.php from the command line.
After spending several hours I found the solution. I needed to do the following things beside what the instructions on php-gpio says:
in myGpioScript the first line had to be #!/usr/bin/php instead of #!/usr/bin/env php
I had to add php after -t, like this: exec('sudo -t php /usr/bin/php ./myGpioScript'); (which makes sense when you think about it, but instructions doesn't say it like that)
I had to add this to the sudoers file: www-data ALL=NOPASSWD: /usr/bin/php - so that www-data can also run php without limitations. Specifying permission for the actual script files was actually not necessary!
File permissions on any of the files are not relevant either, so just leave them low.
So I want to execute the following command in my php script:
exec("/path/to/command");
Because it is the www-data user who runs php scripts, i currently can not run this command.
I have read something about suexec being able to run a command as if it was a different user. I find it rather difficult to understand how this works.
I have already installed suexec and edited the /etc/apache2/suexec/www-data file and added:
/home/user_to_run_command/script.php
I have also edited /etc/apache2/sites-enabled/000-default and added:
SuexecUserGroup user_to_run_command user_to_run_command
Am I missing anything?
suEXEC will work only when PHP is executed in CGI mode but not if PHP is running as an apache2
module. I guess you are running it as a module.
An alternative might be to transfer the ownership to the desired user and then set the suid bit:
chown desired_user your.program
chmod u+s your.program
Now when executing your.program it has permissions as if it where executed by it's owner. Follow the wiki article that I've linked for more information.
Side note: This will work with binaries only (not with shell scripts as they where executed by the shell binary which has no suid bit set)
I had the same problem and finally found a solution which as far a I can see is both safe and simple. A disadvantage of this method is that you have to take care of security updates when they are published.
What we are gonna do is make our own special shell which we chown and SUID to the user which we want the task to perform. To remain safe this user should be just an ordinary user without extensive system rights and place the script somewhere others are not allowed. Now we let php execute a script which uses this special shell and all command within this script will be executed as the chosen user.
In practice:
sudo mkdir /usr/lib/specialshell
sudo chown user_who_may_run_command:root /usr/lib/specialshell
sudo chmod 700 /usr/lib/specialshell
sudo cp /bin/perl specialperl
sudo chown user_to_run_command:usergroup_to_run_command specialperl
sudo u+s specialperl
sudo mv specialperl /usr/lib/specialshell
Now we make a script named command.script containing:
#!/usr/lib/specialshell/specialperl
$ENV{"PATH"} = "/usr/bin";
system("/path/to/command");
and from php code we use:
exec("/path/to/command.script");
et voila, no code change, just the name of command in php.
edit: works only with perl as shell, so changed bash to perl and put the shell somewhere safe
Dear Stackoverflow'er:
I am currently trying to run my script over PHP-CLI. I want to create a file over:
fopen($filename, "w+")
If I run this over this over the webbrowser, the script will be able to create the file, since the folder is owned by 'www-data'.
But if I try to run it over CLI it doesn't work, since PHP has not the same user, so I added www-data into /etc/sudoers with NOPASSWD.
I tried then to run:
sudo -u www-data php ./content.php
But it still doesn't work, do you have maybe a suggestion?
Best,
djcrackhome
I need to execute a bash file from a php page, with exec() function. The problem is that in this bash file, there's the command "adduser" ... Witch is a sudo command. I had the idea of modifying the sudoers so the user that run the script would have access to it, but who is this user ? I know apache2 is executated with www-data user...
Thanks!
You can find out which user PHP is running as by using system to run the command 'whoami' and display the output.
system('whoami');
That seems like a rather bad plan, giving the www-user sudo access. But yes, its www-data (by default, depending on linux flavor) that apache runs under.