I am running an Apache server on CentOS and need to run some bash scripts from PHP page. Running commands which do NOT need write or execute permission from PHP file works fine (for example shell_exec('ls /var/www/html/scripts/')), but I have problem running the commands that do need write or execute permission. For example this commands does nothing:
<?php
$output = shell_exec('/var/www/html/scripts/test.sh');
echo $output;
?>
I made apache user owner and granted necessary permissions to scripts directory:
drwxr-xr-x. 2 apache apache 21 Jun 3 09:54 scripts
and test.sh file as can be seen, but there was no lock.
-rwxr-xr-x. 1 apache apache 51 Jun 3 09:54 test.sh
I also tried to sudo the command in PHP file and added the line below to the end of Sudoers file, but nothing changed.
apache ALL=NOPASSWD: /var/www/html/scripts/test.sh
Also I checked PHP safe_mode which is off and there is no restriction in php.ini file:
disable_functions =
Your kind help would be highly appreciated.
NOTE:
I edited my bash script and added sudo like below:
#!/bin/bash
echo "Hi from test.sh";
sudo touch /var/www/html/scripts/file.log;
Now when I run the file as apache user using this command, it runs successfully:
su -s /bin/sh apache -c "/var/www/html/scripts/test.sh"
But through the php web page it only runs echo "Hi from test.sh"; line. When I check logs, there are lines below for running command above:
su: pam_unix(su:session): session opened for user apache by root(uid=0)
sudo: apache : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/bin/touch fromweb.log
su: pam_unix(su:session): session closed for user apache
And the generated log when running from php web page:
sudo: apache : TTY=unknown ; PWD=/var/www/html/scripts ; USER=root ; COMMAND=/bin/touch fromweb.log
Missing pam_unix(su:session) open and close.
I found what the issue was. It was because of Linux SELinux feature. This feature applies a least-privilege policy and denies any unnecessary command from running on Linux. The bash script is running successfully after disabling this feature. To do so, edit the file /etc/selinux/config and change SELINUX=enforcing to SELINUX=disabled and reboot the system. THIS IS NOT RECOMMENDED FOR SECURITY REASONS, however. You may check the link below to only create some exceptions rather than completely disabling SELinux.
https://wiki.centos.org/HowTos/SELinux
Related
I am having an issue and I don't understand what is going on. I am basically using this PHP script to try and run a go binary :
<?php
shell_exec('/go/bin/x -arg -arg etc');
If I run this PHP file via command line it works. If I run it directly in browser (it's under www) it does not work. No errors whatsoever.
cli runs as root and apache as www-data. I have set the permissions to 0777 for /go/bin/x and I have also changed the owner / group to www-data. Still nothing.
What can cause this behavior ?
Also note that shell_exec works, but so far I have only ran other php files.
I do not know how I did not think about this before... The issue was that 1 of the input args contained a location to a text file and apache did not have the rights to read the file. The error was in /var/log/apache2/error.log
To Whom It May Concern.
I have same issue that I cannot run shell_exec/exec via website even they were run well in terminal.
See log:
[13-Jul-2020 19:57:23 UTC] PHP Warning: shell_exec() has been disabled for security reasons in /...test_script.php on line 3
Case 1: Check all php.ini where disable_function does not contain "shell_exec" or "exec"
$ sudo find / -name "php.ini"
$ sudo cat <path_to_php.ini> | grep disable_functions
// disable_functions = <<= This is OK
// disable_functions = "shell_exec, exec, system...." <<= They are disabled
Remove function that you want to use. Don't forget restart server.
Case 2: If disable_functions are all empty for all php.ini. Check your PHP-FPM on your hosting via Cpanel. Go to "MultiPHP Manager" from your Cpanel and check PHP-FPM status on your domain. Turn it off and you will be able to run shell_exec();
I an Ubuntu 16.04 machine running NGINX and PHP. I would like to enable the www-data user (via web browser) to be able to access a PHP page (php-test.php) that will execute either a bash script (script_test.sh) or execute Linux CLI commands using shell_exec or exec.
I have done the following.
Created my bash script file script_test.sh
#!/bin/bash
whoami
echo $USER
echo 'test'
exit
when I run this from CLI, using
./ script_test.sh
It does indeed work and I can see the info echoed out in the CLI.
I then pursued the goal of being able to allow the www-data user run this bash script through a PHP page running on this same machine from NGINX.
I created my php page (php_test.php) and it contains the following
<?php
chdir('/path/to/my/files/');
shell_exec('./script_test.sh'); // ATTEMPT RUN SCRIPT
shell_exec('/path/to/my/files/script_test.sh'); // ATTEMPT RUN SCRIPT
echo 'test 123'; // SIMPLE ECHO IN THE PHP PAGE
?>
I then ran the following to modify the sudoers file, giving www-data access to the bash script
sudo nano /etc/sudoers
to which I added the following line
www-data ALL=NOPASSWD: /path/to/my/files/script_test.sh
I then made sure the script was executable, for the sake of my testing, not worrying about security, I just set it to 777 with the following command
sudo chmod 777 script_test.sh
From there I opened a web browser and browsed to the localhost (NGINX) web server (php_test.php) and the only thing I see on the page is the 'test 123' that I echo from PHP... none of the bash script appears to have run at all. I tailed the NGINX error log and don't see any error at all.
Is there another log that could contain clues on this?
What else should I check here?
The result of shell_exec() is returned as string. To display it in your browser, simply add echo.
<?php
chdir('/path/to/my/files/');
echo shell_exec('./script_test.sh'); // ATTEMPT RUN SCRIPT
echo shell_exec('/path/to/my/files/script_test.sh'); // ATTEMPT RUN SCRIPT
echo 'test 123'; // SIMPLE ECHO IN THE PHP PAGE
?>
See the Return Values in the manual:
The output from the executed command or NULL if an error occurred or
the command produces no output.
Can you try to use passthru instead of shell_exec, and see the output anything?
Also try this, and see if it shows on the log file:
if(file_exists('/path/to/my/files/script_test.sh')) { die('File not found!'); }
shell_exec("nohup /path/to/my/files/script_test.sh > /path/to/my/files/output.log &");
Also, are you running PHP with the www-data user (check your fpm pool)?
Do you have any error on /var/log/syslog or /var/log/auth.log ?
Have you restarted the server after changing the sudo permissions?
What does su - www-data -c "whoami" and su - www-data -s /bin/bash -c "whoami" outputs?
Does su - www-data -s /bin/bash -c "/path/to/my/files/script_test.sh" output something?
I have a page thats called form a browser which at the end needs to run one command as root. I am very well aware of the security implications of running shell_exec commands from the browser, so I have locked down my sudoers file for "apache all no password" to the one command:
apache ALL = (ALL) NOPASSWD: /usr/sbin/rndc
I have made my PHP page hard-coded so no part of the command is run from user-accessible inputs.
This process just refreshes the config for Bind9 (named) by issuing
shell_exec("/usr/sbin/sudo /usr/sbin/rndc reload");
However, it seems this does not run, but when I have make /bin/bash the default shell for apache and as apache, this process runs when I try it in apache shell:
[root#localhost zones]# su - apache
-bash-4.2$ /usr/bin/sudo /usr/sbin/rndc reload
server reload successful
My whole PHP code:
<?php
error_reporting(E_ALL);
$result = shell_exec("/usr/bin/sudo /usr/sbin/rndc reload");
print_r($result);
?>
I get no responses. Any ideas? SELinux is now set to permissive.
turned out to be the require_ttl parameter in my sudo files. Apache was erring in /var/log/httpd/error_log.
Thats to those who viewed :)
I have CentOS 7 with PHPFPM and Nginx (both installed from source, not yum). Nginx and PHP running on www-data user and group. Now I create a PHP file with this content:
exec("adduser myownuser");
This PHP file work successfully if I run it in the CentOS console as root. But when I want to run it in my webserver root, nothing happens and the script run as www-data..
What is the problem ?
You need to add apache to sudoers, without password required.
also you need to execute the adduser via a one line script, you can't set it's password otherwise.
Here's my implementation
$ccmd = "nohup sudo useradd -d /home/user -p $(openssl passwd -1 " . $thepassword . ") username &";
exec($ccmd);
I added this to my sudoers file
apache ALL=(ALL) NOPASSWD: ALL
depending on your distro, your apache user may differ. To find out what apache's username is, you can echo exec("whoami");
Before people start yelling at me, it's best to only allow apache sudo access to the one command you need. Either that or add apache to a group and assign that group to that command. I won't explain how to do that here, you can search because there are threads about this everywhere
I trying on my local CentOS 5.3 server, when I try to execute below line in my php code from apache webserver
exec("crontab -l", $output, $arg);
The $arg reply 127 (command not found code)
Then I changed below code
exec("/usr/bin/crontab -l", $output, $arg);
The $arg reply 126 (Permission problem code)
Here is my current permission of
/usr/bin/crontab -rwsr-sr-x 1 root root 311288 Mar 15 2007 /usr/bin/crontab.
And there is no /etc/cron.allow and /etc/cron.deny file.
I already turned off Safe_mode in php. Any suggestion to solve this problem?
////////////////////////////////////////////////////////////////////////////////
I note that my problem is related to selinux.
It is working, when I disable selinux
echo 0 > /selinux/enforce
But I don't want to disable selinux, is there any option in selinux to allow crontab from apache?
Add /usr/bin to your shell env path
Add crontab to the same group like of the webserver
Try in php exec("echo $PATH") to see the path variable. You can also look for unsetenv and temporarly disable it
You can look in the php error log for a detailed description of the error but as you said you are familiar with Linux I can't teach you about user right management. A note to the env variable and the path variable it's not always sure the env variable get exported when you run a program. This is maybe the case with your problem. It means either the os is broken or you have to attach the env variable manually to your program. A workaround can be to look where the shell is looking for programs and symlink the program. In your error log it seems that crontab is in the folder /usr/bin. Also this seems not to be a programming question. Ask at server.stackexchange why crontab isn't found. For example my env looks like this:
LC_PAPER=de_DE
LC_ADDRESS=de_DE
LC_MONETARY=de_DE
AF_PIDDIR=/tmp/af-piddir
UPNP_ROOT=upnpav://
SHELL=/bin/sh
TERM=xterm
DISABLE_GATEWAY=1
GTK2_RC_FILES=/etc/hildon/theme/gtk-2.0/gtkrc
TMPDIR=/var/tmp
MMC_SWAP_LOCATION=/media/mmc1
LC_NUMERIC=de_DE
MMC_MOUNTPOINT=/media/mmc1
OLDPWD=/root
HILDON_FM_OBEX_ROOT=obex://
LAUNCHWRAPPER_NICE_KILL=/etc/osso-af-init/nice-kill-launch-wrapper.sh
INTERNAL_MMC_MOUNTPOINT=/home/user/MyDocs
OSSO_VERSION=RX-51_2009SE_20.2010.36-2_PR_MR0
USER=root
LS_COLORS=no=00:fi=00:di=00;36:ln=00;35:pi=40;33:so=01;35:bd=40;32;00:cd=40;32;00:or=01;05;37;41:mi=01;05;37;41:ex=00;33:.cmd=00;32:.exe=00;32:.com=00;32:.btm=00;32:.bat=00;32:.sh=00;32:.csh=00;32:.tar=00;31:.tgz=00;31:.arj=00;31:.taz=00;31:.lzh=00;31:.zip=00;31:.z=00;31:.Z=00;31:.gz=00;31:.bz2=00;31:.bz=00;31:.tz=00;31:.rpm=00;31:.cpio=00;31:.jpg=00;35:.gif=00;35:.bmp=00;35:.xbm=00;35:.xpm=00;35:.png=00;35:.tif=00;35:
LC_TELEPHONE=de_DE
SESSION_BUS_PID_FILE=/tmp/dbus_session_bus.pid.user
OSSO_PRODUCT_HARDWARE=RX-51
STATESAVEDIR=/tmp/osso-appl-states
LAUNCHWRAPPER_NICE_TRYRESTART=/etc/osso-af-init/nice-launch-wrapper-tryrestart.sh
OSSO_PRODUCT_FULL_NAME=Nokia N900
OSSO_PRODUCT_RELEASE_FULL_NAME=Maemo 5
OSSO_PRODUCT_RELEASE_NAME=Maemo 5
MYDOCSDIR=/home/user/MyDocs
PATH=/usr/bin/gnu:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
LC_MESSAGES=de_DE
OSSO_PRODUCT_SHORT_NAME=Nokia N900
SESSION_BUS_ADDRESS_FILE=/tmp/session_bus_address.user
LC_IDENTIFICATION=de_DE
PWD=/home/user/MyDocs
EDITOR=/usr/bin/nano -w -c
LANG=de_DE
ERR=0
LC_MEASUREMENT=de_DE
PS1=[\033[1;36m][[\033[0;36m]\u\h[\033[0;37m]:\w[\033[1;36m]][\033[m]$ [\033[0;37;00m]
ILLEGAL_FAT_CHARS=/:*?<>|
OSSO_PRODUCT_KEYBOARD=German
AF_DEFINES_SOURCED=1
SHLVL=1
HOME=/root
SDL_AUDIODRIVER=pulse
OSSO_SWAP=/home/user/MyDocs
OSSO_PRODUCT_RELEASE_VERSION=20.2010.36-2
LS_OPTIONS=--color
LAUNCHWRAPPER_TRYRESTART=/etc/osso-af-init/launch-wrapper-tryrestart.sh
OSSO_PRODUCT_NAME=N900
AF_INIT_DIR=/etc/osso-af-init
MMC_DEVICE_FILE=/dev/mmcblk0p1
LOGNAME=root
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-eCbOI2qrVP,guid=cd1dea104334a338a9007b9700000014
LAUNCHWRAPPER=/etc/osso-af-init/launch-wrapper.sh
OSSO_PRODUCT_WLAN_CHANNEL=fcc/us
MAX_FILENAME_LENGTH=255
DISPLAY=:0.0
LAUNCHWRAPPER_NICE=/etc/osso-af-init/nice-launch-wrapper.sh
LC_TIME=de_DE
INTERNAL_MMC_SWAP_LOCATION=/home/user/MyDocs
LC_NAME=de_DE
OSSO_PRODUCT_REGION=Germany
_=/usr/bin/gnu/env
Just type env in the prompt.