The error message:
gpg: Fatal: can't create directory '/srv/http/.gnupg': Permession
Denied
The script:
<?php
$cmd = "/usr/bin/gpg -e -a -r kioccio#gmail.com prova 2>&1";
echo shell_exec($cmd);
?>
Why I don't have the permission?
P.S.Without 2>&1 the command doesn't work.
P.S. adding 'sudo' at the command doesn't work
I am the user simone
shell_exec or any other command with shell interaction uses the user and group setted into httpd.conf. If that user doesn't have the proper permissions to manipulate the folder and the bins that you want, you'll experience those errors.
I recommend to study about permissions in the linux system and the proper way to give them without compromise the security of your system, some routines must be in a sandbox to save about malicious commands.
Related
I'd like to execute my script bash with php. My script is logging me into my server then creating me my account.
SCRIPT="useradd martinouh --home /home/martinouh --create-home; echo martinouh:$pass | chpasswd; usermod -s /bin/bash martinouh; usermod -aG sudo martinouh; usermod -aG docker martinouh;"
sshpass -p $pass ssh -o StrictHostKeyChecking=no root#$ip "${SCRIPT}"
sshpass -p $pass ssh-copy-id -i /home/Martinouh/.ssh/id_rsa.pub martinouh#$ip
But when i run it via shell_exec(); It does execute the script but not the part with sshpass.
What should I do in order to execute it ?
At the moment, just to test shell_exec();. I'm executing my script by calling localhost/script.php which contains the following
<?php
$output = shell_exec('bash select.sh');
echo $output;
?>
I'm getting this in the error_log :
Failed to change pseudo terminal's permission: Permission denied
Failed to change pseudo terminal's permission: Permission denied
Failed to change pseudo terminal's permission: Permission denied
Failed to change pseudo terminal's permission: Permission denied
Maybe it has to do with selinux and apache permission ?
Since the error messages refer to the pseudo terminal, try to disable this with -T. Most functionality that require pseudo terminal functionality is interactive and would not be appliccable in such a context anyway.
Ok now that i've disabled SELinux, it does execute the part that log then add an user ...
But it won't do the
sshpass -p $pass ssh-copy-id -i /home/Martinouh/.ssh/id_rsa.pub martinouh#$ip
I'm getting this on my webpage
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '/home/Martinouh/.ssh/id_rsa.pub': Permission denied
So I tried to move the key and chown -R apache:apache on it, what I get was this on my webpage :
/usr/bin/ssh-copy-id: ERROR: failed to open ID file './id_rsa': No such file or directory (to install the contents of 'id_rsa.pub' anyway, look at the -f option)
I tried with the -f but it doesn't change the
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '/.pub': No such file or directory
edit :
It is now working with SELinux disabled and to correct the ssh-copy-id, I had to copy the id_rsa.pub AND the id_rsa to a directory and chown -R apache:apache both of them. The private key was needed otherwise i coudn't copy my id_rsa.pub to the server (even with -f flag).
Now how should I correct this that we know what make it works (even tho it is not the proper way ?)
Give apache the right to access ~/.ssh/ ? (for ssh-copy-id)
Give apache the right to execute script / shell ? (SELinux)
I try to insert line to /etc/ppp/chap-secret file via bash script what should run with php shell_exec.
I hope that I am on right way or is there a better way?
whatever my work is like below,
/var/www/test.php:
<?php echo shell_exec("cd /etc/ppp; bash test.sh"); ?>
/etc/ppp/test.sh:
#!/bin/bash
sed -i "/IP addresses/a client123* pw123123 192.168.0.101" chap-secrets
I also added www-data ALL=NOPASSWD: /etc/ppp/test.sh to sudoers.
I get this error:
sed: couldn't open temporary file ./sedXym2Nn: Permission denied
from terminal all works fine, but I need it from admin web via button click.
How to fix permissions error and get this process?
Granting a web server access to system files sure seems reckless, but at least you are using a wrapper script to prevent the server from running arbitrary commands with super user privileges. That being said:
You have given www-data sudo access to /etc/ppp/test.sh without password, but you are not executing the command with sudo from your shell_exec function.
Calling shell_exec("cd /etc/ppp; sudo bash test.sh"); should do the trick.
I'm trying to execute a php script but i'm having this kind of errors:
Warning: file_put_contents(/sys/class/gpio/export): failed to open stream: Permission denied in /home/pi/php-gpio/src/PhpGpio/Gpio.php on line 99
Warning: file_put_contents(/sys/class/gpio/gpio17/direction): failed to open stream: Permission denied in /home/pi/php-gpio/src/PhpGpio/Gpio.php on line 103
I've tried to set up the permission in the $ sudo visudo like this:
www-data ALL=NOPASSWD: path/to/my/script
or
www-data ALL=NOPASSWD: ALL
but is not working, i'm able to execute this script only with sudo form the command line!
Thanks in advance!
If you using in your computer, you must change the default directory permission:
$ sudo chmod -R +w /sys/class/gpio/export
else if you run code in a server, in server panel and in section files (e.g. CPanel) change permission and add write right.
Another way is running exec() command:
<?php
exec('chmod -R +w /sys/class/gpio/export');
?>
However, php should have exec right and running with root!
I recently published a project that allows PHP to obtain and interact with a real Bash shell (as root if requested), it solves the limitations of exec() and shell_exec(). Get it here: https://github.com/merlinthemagic/MTS
After downloading you would simply use the following code:
$shell = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);
$return1 = $shell->exeCmd('/sys/class/gpio/export');
$return2 = $shell->exeCmd('/sys/class/gpio/gpio17/direction');
//the return will be a string containing the return of the command
echo $return1;
echo $return2;
In terms of security it is far better than running apache as root, or the wide open sudo permissions in your question. But letting PHP anywhere near root is always tricky.
The project i built achieves a root bash shell in one of 2 ways:
1) You allow apache the right to sudo python.
OR
2) You pass root credentials to the object every time you need a shell with root setup.
Pick your poison. :) Read the documentation.
Hoping someone can help me out here. Trying to run any command using exec() returns 126 and displays the same error message. I've narrowed it down to this pretty minimal test case.
root#test:~ $ sudo -u asterisk php -r 'exec("ls /", $out, $result); var_dump($result);'
sh: /bin/ls: Permission denied
int(126)
root#test:~ $ sudo -u asterisk ls /
bin boot dev etc home lib lib64 lost+found media mnt opt proc root sbin selinux srv sys tmp usr var
root#test:~ $ su -lc 'php -r '\''exec("ls /", $out, $result); var_dump($result);'\' asterisk
This account is currently not available.
SELinux and PHP safe mode are not enabled
permissions are fine on /, /bin/, and /bin/ls
asterisk is a system user created with this command: adduser -d /var/lib/asterisk -M -r -s /sbin/nologin asterisk
it works fine via Apache, which runs as this user
Every attempt to run any command returns permission denied and 126 as $?. The PHP config is pretty much as it shipped (Scientific Linux 6.7, PHP 5.4 via Remi package.)
Would appreciate some assistance (preferably the kind that would require some arcane knowledge, not the kind that means I missed something blindingly obvious!)
Edit: I can get it to work using su if I give the user a login shell:
root#test:~ $ usermod -s /bin/bash asterisk
root#test:~ $ su -c 'php -r '\''exec("ls /", $out, $result); var_dump($result);'\' asterisk
int(0)
However, this isn't my code so changing all the use of sudo to su is not likely to happen. Also, there shouldn't be anything stopping PHP from running this without a login shell.
You probably have enabled sudo option NOEXEC.
When this option is active, you can run command with high privilege, but cannot spawn other commands. This is (AFAIK) required to avoid an exploiter to gain a shell. Since you are using the asterisk user, this also makes much sense.
In your case, PHP command is granted the execution as asterisk user, but when it tries to spawn with exec, the command cannot be executed and it returns 126.
EDIT (as in comment below)
Adding this line to sudoers will solve this issue:
root ALL = (ALL) EXEC: ALL
Your account doesn't have permission to run bash commands.
As you know int(126) return the status of the executed command. From the bash man page:
If a command is found but is not executable, the return status is 126.
Try running ls directly from your asterisk user to see if it works.
If it doesn't work then check the permissions on your asterisk user and see if you have the necessary permissions. If you don't have the permissions, just use chmod to give your asterisk user permission. You should also try and create a new user and see if this command works with that user.
Edit: Since your asterisk account does not have a shell, you cannot execute shell commands from it.
Coming back to provide another answer to my own question a couple of years later. As the accepted answer supposed, I had set this in my file:
Defaults noexec
And I fixed this by overriding it for the root user.
But a better solution would be to apply the defaults only to the targeted user:
Defaults:admin noexec
This way the setting would not have affected the asterisk user I was having problems with in my question!
I would like lauched a command in php over my RPI.
The command is echo 'standby 0' | cec-client -s, it's work fine in ssh my Tv shutdown, but in php echo shell_exec("......") return adapters autodetect FAILED ... But also mkdir doesn't work with sheel_exec, so i think it's probably PATH problem, but i don't know how to fix it. My PATH in ssh is /usr/local/bin....... and in php is /sbin:/bin:/usr/sbin:/usr/bin .
How i can fix it. Sorry for my english ...
I tried the same and got a message saying "failed to open vchiq instance". I found a question on Raspberry Pi StackExchange suggesting to add the user to the "video" group. I did that with usermod -a -G video www-data and then restarted apache with /etc/init.d/apache2 restart. Then I was able to use cec-client from PHP and apache.
It is permissions problem. While running command via ssh you executing it as user pi(probably), but via shell_exec you execute command as user www-data which do not have necessary permissions. You can check this by running echo shell_exec("whoami");
You can easly fix this by adding line "www-data ALL=(ALL) NOPASSWD: ALL" into your "/etc/sudoers" file and then run "echo shell_exec("sudo echo 'standby 0' | sudo cec-client -s");", hovewer this will add to the user www-data all of the sudo permissions and it is very unsecure, but it will work. If you want to do it more secure way you need to find which permissions cec-client required to run properly and then add them to user www-data.