There are many questions on this topic, but my situation is quite strange.
I am trying to print out exec("sudo -u root whoami") in php. But it returns nothing.
I added %www-data ALL=(ALL:ALL) ALL via sudo visudo but no luck on what is happenning, no error, just not printing out anything.
Any suggestion?
Thanks in advance
How is your webserver going to enter the password for sudo?
Your configuration allows the webserver-user to run all commands on the server. But that requires the user to enter their password. And the webserver
can't do that interactively
doesn't even have a apassword
So if you want to do what you try to do (giving the process running PHP root-access to the machine is a very bad idea) you should add this to your sudo-config:
%www-data ALL = NOPASSWD: /usr/bin/whoami
That allows the group www-data to run whoami as root without an interctive password-prompt
Related
I want to allow run specify command on my website, through PHP exec() function, so i found the way, to add www-data in sudoers.d files to allow run specify commands without asking password.
I tried next things:
check where is program catalogue
whereis hashcat -> hashcat: /usr/bin/hashcat
Add a new file to sudo visudo /etc/sudoers.d/www-data and add next line www-data ALL=(www-data:www-data)NOPASSWD: /user/bin/hashcat
Try to run it through www-data: sudo -u www-data sudo hashcat
And then i get this: [sudo] password for www-data:, that means it doesn't seems to work
What can i do wrong, and what i should do then? And is my decision to do so correct? Is there a better and safer solution?
That problem is solved, by removing the (www-data:www-data) so my "www-data: file in sudoers.d looks like: www-data ALL=NOPASSWD: /usr/bin/hashcat
Thanks all for answering and give me a hint to solve this! Especially thanks to #cyberbrain for my carelessness!
I have CentOS 7 with PHPFPM and Nginx (both installed from source, not yum). Nginx and PHP running on www-data user and group. Now I create a PHP file with this content:
exec("adduser myownuser");
This PHP file work successfully if I run it in the CentOS console as root. But when I want to run it in my webserver root, nothing happens and the script run as www-data..
What is the problem ?
You need to add apache to sudoers, without password required.
also you need to execute the adduser via a one line script, you can't set it's password otherwise.
Here's my implementation
$ccmd = "nohup sudo useradd -d /home/user -p $(openssl passwd -1 " . $thepassword . ") username &";
exec($ccmd);
I added this to my sudoers file
apache ALL=(ALL) NOPASSWD: ALL
depending on your distro, your apache user may differ. To find out what apache's username is, you can echo exec("whoami");
Before people start yelling at me, it's best to only allow apache sudo access to the one command you need. Either that or add apache to a group and assign that group to that command. I won't explain how to do that here, you can search because there are threads about this everywhere
Trying to trigger a shell script with POST request (handled by nginx). No success so far.
What I have:
exec('whoami'); // nginx
nginx:x:220:498:Nginx web server:/var/lib/nginx:/sbin/nologin
As we can see, nginx user has no shell. Could that be a problem? Next,
nginx ALL=(user) NOPASSWD: /path/to/script.sh
If I change nginx to my real user, I can run sudo -u user /path/to/script.sh without password prompt, but for some reason I'm still asked for password if I run su -s /bin/bash -c /path/to/script.sh user. Perhaps, latter invokation is somewhat more suitable for the nginx user, since he has nologin shell.
So whenever I run exec('sudo -u user /path/to/script.sh'); or run some wrapper script with that line in it through PHP - nothing happens. I can't even identify what doesn't work, since no errors are thrown.
Any help would be much appreciated.
Thanks to the #fejese and #triplee , I finally figured it out. I had to requiretty parameter in sudoers file, when that was changed to...
#Defaults requiretty
#Defaults !visiblepw
...it all went going!
I am running Apache on my localhost. From a PHP script run as www-user I would like to control Rhythmbox playback on my machine. So far I have a simple command in my PHP script:
exec('rhythmbox-client --pause');
This works great when I run it from the command-line as me, but if it runs as www-user I guess rhythmbox-client doesn't know/can't access my instance of Rhythmbox.
Is there an easy way for that PHP script to run as my user rather than www-user, or to tell rhythmbox-client which instance to control?
The overall application is that when my phone goes off-hook it calls my PHP script which pauses music, and resumes playback when the phone is on-hook. I love VoIP phones!
Solution:
Thanks to Carpetsmoker and Tarek I used sudo as the answer but there was a couple of problems. To overcome them I did the following:
Created a bash script to call rhythmbox-client. This bash script was executed using sudo in PHP as described in the answer below. Unfortunately rhythmbox-client didn't know what environment to control, so the bash script looks like this:
#! /bin/bash
DBUS_ADDRESS=`grep -z DBUS_SESSION_BUS_ADDRESS /proc/*/environ 2> /dev/null| sed 's/DBUS/\nDBUS/g' | tail -n 1`
if [ "x$DBUS_ADDRESS" != "x" ]; then
export $DBUS_ADDRESS
/usr/bin/rhythmbox-client --pause
fi
Now that bash script can be executed by PHP and wwwuser, and my phone can pause/play my music!
One solution is using sudo(8):
exec('sudo -u myuser ls /');
You will, obviously, need to setup sudo(8) to allow the user running your webserver to invoke it. Editing the sudoers file with visudo(8), you can use something like:
wwwuser ALL=/usr/bin/rhythmbox-client
To prevent Apache from being able to run other commands and only the rythymbox command.
In my case, the solution came this way:
Added this lines to sudoers file:
myuser ALL=(ALL) NOPASSWD: /usr/bin/prlctl
_www ALL=(ALL) NOPASSWD: /usr/bin/prlctl # IMPORTANT!!!
The EXEC() command in PHP was changed to:
exec("sudo -u myuser prlctl list -a", $out, $r);
If a process can be run by any user it can be run by PHP. Example is fortune command
-rwxr-xr-x 1 root root 18816 Oct 1 2009 /usr/games/fortune
Look at the x permission for every user. But this some times doesn't at all work and you may have to let the user, www-data or apache etc, run the program. You can sudo www-data and try to run the command. If it works then Apache/PHP should be able to run it.
I don't know what the deal is here…
So I want to run an applescript: sudo osascript myscript.scpt
This works fine in the terminal, but not when I execute it via PHP's exec(); nothing happens. The console says
no tty present and no askpass program specified ; TTY=unknown ; …
I did my research, and it seems I'm missing the password for the sudo command. I tried a couple different ways to get around this, including:
writing %admin ALL=(ALL) ALL in /etc/sudoers
and proc_open() instead of exec()
none of which seem to be working, consequently driving me CrAzY!
So basically, is there a clear-cut way to get PHP to execute a simple terminal command?
EDIT: to clarify, myscript.scpt is a simple appleScript that changes the onscreen UI (for a larger project). In theory, simply osascript myscript.scpt should be enough, however the sudo is for some reason necessary to invoke some response from the system. If the sudo could be somehow eliminated, I don't think I would be having this permissions problem.
It sounds like you need to set up passwordless sudo. Try:
%admin ALL=(ALL) NOPASSWD: osascript myscript.scpt
Also comment out the following line (in /etc/sudoers via visudo), if it is there:
Defaults requiretty
I think you can bring specific access to user and command with visudo something like this:
nobody ALL = NOPASSWD: /path/to/osascript myscript.scpt
and with php:
#exec("sudo /path/to/osascript myscript.scpt ");
supposing nobody user is running apache.
php: the bash console is created, and it executes 1st script, which call sudo to the second one, see below:
$dev = $_GET['device'];
$cmd = '/bin/bash /home/www/start.bash '.$dev;
echo $cmd;
shell_exec($cmd);
/home/www/start.bash
#!/bin/bash
/usr/bin/sudo /home/www/myMount.bash $1
myMount.bash:
#!/bin/bash
function error_exit
{
echo "Wrong parameter" 1>&2
exit 1
}
..........
oc, you want to run script from root level without root privileges, to do that create and modify the /etc/sudoers.d/mount file:
www-data ALL=(ALL:ALL) NOPASSWD:/home/www/myMount.bash
dont forget to chmod:
sudo chmod 0440 /etc/sudoers.d/mount
I recently published a project that allows PHP to obtain and interact with a real Bash shell. Get it here: https://github.com/merlinthemagic/MTS
The shell has a pty (pseudo terminal device, same as you would have in i.e. a ssh session), and you can get the shell as root if desired. Not sure you need root to execute your script, but given you mention sudo it is likely.
After downloading you would simply use the following code:
$shell = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);
$return1 = $shell->exeCmd('/path/to/osascript myscript.scpt');
Run sudo visudo command then set -%sudo ALL=(ALL:ALL) to %sudo ALL=(ALL:ALL) NOPASSWD: ALL it will work.
I had a similar situation trying to exec() a backend command and also getting no tty present and no askpass program specified in the web server error log. Original (bad) code:
$output = array();
$return_var = 0;
exec('sudo my_command', $output, $return_var);
A bash wrapper solved this issue, such as:
$output = array();
$return_var = 0;
exec('sudo bash -c "my_command"', $output, $return_var);
Not sure if this will work in every case. Also, be sure to apply the appropriate quoting/escaping rules on my_command portion.
The best secure method is to use the crontab. ie Save all your commands in a database say, mysql table and create a cronjob to read these mysql entreis and execute via exec() or shell_exec(). Please read this link for more detailed information.
killProcess.php
I think directly calling a sudo command might be difficult because you are setting up the whole server to work without a password.
Perhaps as an alternative you could setup a CRONjob as root and monitor a flag file. Once the flag file exists it will run the osascript myscript.scpt and then delete the flag file.
This way you will keep SUDO secure from a config point of view and the server safer. To run the script you just need to touch the flag file from PHP.
It would of course introduce a delay of however many minutes you running the CRON job. It would also mean that you would have to redirect the output to a file and have a async monitor of the output, but it will depend on your application if this is a problem or not.
But it is an alternative that might protect the server.