I need help, i have webinterface thar run this section in php:
$cmd="/usr/sbin/sudo /usr/sbin/service networking stop"
exec($cmd, $mes);
print_r($mes); #this is emptz message
$cmd="/sbin/ifconfig"
exec($cmd, $mes);
print_r($mes);
print_r($mes); For stop service is empty
print_r($mes); For ifconfig=array have all information about interface (but all are up not down so above mesagge not work well (this service still run))
This script is running via deamon user.
This is my visudo:
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
www-data ALL =NOPASSWD: /bin/nc, /bin/cp, /bin/chmod, /bin/chown, /etc/init.d/, /usr/sbin/service
deamon ALL = NOPASSWD: /bin/cp, /bin/chmod, /bin/chown, /etc/init.d/, /usr/sbin/service, /home/optokonlmcp/sss.php, /sbin/ifconfig
Please do you know why this php script not work ?
Thank you in advance
BR
MK
SOLUTIONS:
Create sctipt with rolus for root (root:root) and command what i need to do(sudo /usr/sbin/service ) command must contain sudo
add script into visudo+ all command that are meantioned in my Script:
Visudo containing:
daemon ALL=NOPASSWD: /usr/bin/sudo, /path_my_script/script.sh
Of curse cript must have rule for opening so i change rules for 755.
Now you can try run script with daemon, i use this command: sudo -u daemon /patch_of_script/script.sh
last point is add command into php: exect("sudo /path/./script.sh" )
Now i can restart network via php.
Thank you
BR
MK
Replace exac($cmd, $mes); with exec($cmd, $mes);
Related
I building one PHP application where I create command line functionality for Linux debian Jessie. All works fne but I need to be able use some commands like root user.
Is there a way to use shell_exec() or similar command to access like root user via PHP?
Idea of this command line is to people who have access to that server can handle with it over internet from any place or device.
Here is image of console:
Executing commands as root via PHP will leave yourself wide open to all sorts of malicious hackery.
Have a look at the "sudo" documentation.
You should be able to set up all the commands you need as "sudo"able scripts. It is much better to write specific scripts with limited functions than to expose the underlying priviledged command.
As in:
exec ('sudo getCurrentUser.sh')
First, you need to add the user that PHP is using to run (most of the time it is www-data) to the sudo group if it is not already assigned.
Then, in your php file:
use sudo -S, so you can pass the password via echo
$exec = "echo your_passwd | /usr/bin/sudo -S your command";
exec($exec,$out,$rcode);
if you have trouble with the paths - use
"bash -lc 'echo your_passwd | /usr/bin/sudo -S your command'"
so you get a new bash that acts like a login shell and has the paths set
Edit your sudoers file
sudo vi /etc/sudoers
Put this line
www-data ALL=(ALL) NOPASSWD: ALL
www-data is the php default user in linux ( replace if necessary )
Use
$output = shell_exec('sudo XXXX');
Hoping someone can help me out here. Trying to run any command using exec() returns 126 and displays the same error message. I've narrowed it down to this pretty minimal test case.
root#test:~ $ sudo -u asterisk php -r 'exec("ls /", $out, $result); var_dump($result);'
sh: /bin/ls: Permission denied
int(126)
root#test:~ $ sudo -u asterisk ls /
bin boot dev etc home lib lib64 lost+found media mnt opt proc root sbin selinux srv sys tmp usr var
root#test:~ $ su -lc 'php -r '\''exec("ls /", $out, $result); var_dump($result);'\' asterisk
This account is currently not available.
SELinux and PHP safe mode are not enabled
permissions are fine on /, /bin/, and /bin/ls
asterisk is a system user created with this command: adduser -d /var/lib/asterisk -M -r -s /sbin/nologin asterisk
it works fine via Apache, which runs as this user
Every attempt to run any command returns permission denied and 126 as $?. The PHP config is pretty much as it shipped (Scientific Linux 6.7, PHP 5.4 via Remi package.)
Would appreciate some assistance (preferably the kind that would require some arcane knowledge, not the kind that means I missed something blindingly obvious!)
Edit: I can get it to work using su if I give the user a login shell:
root#test:~ $ usermod -s /bin/bash asterisk
root#test:~ $ su -c 'php -r '\''exec("ls /", $out, $result); var_dump($result);'\' asterisk
int(0)
However, this isn't my code so changing all the use of sudo to su is not likely to happen. Also, there shouldn't be anything stopping PHP from running this without a login shell.
You probably have enabled sudo option NOEXEC.
When this option is active, you can run command with high privilege, but cannot spawn other commands. This is (AFAIK) required to avoid an exploiter to gain a shell. Since you are using the asterisk user, this also makes much sense.
In your case, PHP command is granted the execution as asterisk user, but when it tries to spawn with exec, the command cannot be executed and it returns 126.
EDIT (as in comment below)
Adding this line to sudoers will solve this issue:
root ALL = (ALL) EXEC: ALL
Your account doesn't have permission to run bash commands.
As you know int(126) return the status of the executed command. From the bash man page:
If a command is found but is not executable, the return status is 126.
Try running ls directly from your asterisk user to see if it works.
If it doesn't work then check the permissions on your asterisk user and see if you have the necessary permissions. If you don't have the permissions, just use chmod to give your asterisk user permission. You should also try and create a new user and see if this command works with that user.
Edit: Since your asterisk account does not have a shell, you cannot execute shell commands from it.
Coming back to provide another answer to my own question a couple of years later. As the accepted answer supposed, I had set this in my file:
Defaults noexec
And I fixed this by overriding it for the root user.
But a better solution would be to apply the defaults only to the targeted user:
Defaults:admin noexec
This way the setting would not have affected the asterisk user I was having problems with in my question!
I have CentOS 7 with PHPFPM and Nginx (both installed from source, not yum). Nginx and PHP running on www-data user and group. Now I create a PHP file with this content:
exec("adduser myownuser");
This PHP file work successfully if I run it in the CentOS console as root. But when I want to run it in my webserver root, nothing happens and the script run as www-data..
What is the problem ?
You need to add apache to sudoers, without password required.
also you need to execute the adduser via a one line script, you can't set it's password otherwise.
Here's my implementation
$ccmd = "nohup sudo useradd -d /home/user -p $(openssl passwd -1 " . $thepassword . ") username &";
exec($ccmd);
I added this to my sudoers file
apache ALL=(ALL) NOPASSWD: ALL
depending on your distro, your apache user may differ. To find out what apache's username is, you can echo exec("whoami");
Before people start yelling at me, it's best to only allow apache sudo access to the one command you need. Either that or add apache to a group and assign that group to that command. I won't explain how to do that here, you can search because there are threads about this everywhere
How to run from PHP a bash script under root user (with all permissions) and not nobody user - php default user?
thats my output after sudo visudo:
Defaults env_keep += "LINES COLUMNS"
Defaults env_keep += "LSCOLORS"
Defaults env_keep += "SSH_AUTH_SOCK"
Defaults env_keep += "TZ"
Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults env_keep += "EDITOR VISUAL"
Defaults env_keep += "HOME MAIL"
#User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
You can use sudo:
exec("sudo /your/script");
You should allow executing your script without password prompt. Run sudo visudo in console and add the following string to the end:
nobody ALL = NOPASSWD: /your/script
You must set up file mode properly to ensure that no one can modify this script and put dangerous contents into it (in root console):
chown root:root /your/script
chmod 755 /your/script
You can make a program which is set-uid root. This causes the program to always run as root. This doesn't work with shell scripts, so you have to use a program which calls your script.
Under Linux you normally do this using sudo. Try to be as specific as possible, so not to give the script too many permissions.
For examples on how to use sudo: http://aplawrence.com/Basics/sudo.html
I would add a specific rule to allow this script to be called by nobody user, using sudo.
I recently published a project that allows PHP to obtain and interact with a real Bash shell (as user: apache/www-data or root if needed). Get it here: https://github.com/merlinthemagic/MTS
After downloading you would simply use the following code:
$shell = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);
$return1 = $shell->exeCmd('/full/path/to/script.sh');
I've made a simple bash script for server admininstration and I cannot figure how can I run it in safely inside a php page: I'd like to create a php admininstration page but I obviously don't want to hard-code root password anyware. Let's make an example (this is a foo script, of course)
#!/bin/bash
touch /$1
this simple/stupid script will not work if the user who run it as no writing permission on /.
Actually the script add apache virtualhosts, ftp users and so on...
any ideas?
thanks
Use
sudo /path/to/executable/file
and set up sudo so it can execute the following command for the current user as a root.
http://www.sudo.ws/sudo/sudoers.man.html - here is the sudoers manual, the configuration file, that you have to modify.
zerkms ALL = (ALL) NOPASSWD: /sbin/iptables -L FORWARD -n -v -x
This is example from my /etc/sudoers. Here I allowed to run command /sbin/iptables -L FORWARD -n -v -x as root without asking a password for user zerkms.