I want to create a file in /etc/nginx/sites-enabled/ php, I have tried many times but php will not let think I've already modified the /etc/sudoers and I put them user ALL: NOPASSWD: ALL and still not it works someone can tell me the why?
$result= shell_exec('sudo -u root mkdir /etc/nginx/myfile');
my file /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults exempt_group=sudo
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias NGINXVHOST = /bin/ln, /bin/mkdir
# User privilege specification
# root ALL=(ALL:ALL) ALL
root ALL= (ALL) NOPASSWD:ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL) NOPASSWD:ALL
vagrant ALL=(ALL) NOPASSWD:ALL
subdominio ALL=(ALL) NOPASSWD:ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
please help!!!
The proper way to achieve this objective is for your PHP page to create an entry in a task queue. That entry need only contain the new domain for the virtual host. Then you should have another process runnning as root which can check that hostname and create the nginx records as needed.
If you are not using any task queue at the moment, this can be achieved by a simple cron job as well. Just put an entry in your database with the vhost name. Then have a cron job check that table every minute and make the nginx records.
Related
my fellow programmers
I do have a question about Apache2 and PHP.
Well, right now I'm trying to make a script that will create new "virtual hosts" from the PHP script, without using sudo command inside PHP.
The solutions with echo passwd | /usr/bin/sudo -S command are not really secure, and I won't use something like that.
Also, I've found the solution with a www-data ALL=(ALL) NOPASSWD: is as well not a solution.
Can someone please shed some light, which is the best solution for that, and what are the best protection measures? In case I need to use a sudo inside a PHP.
Of course, that script will have some part a making a new directory, cp-ing new site files inside a dir, etc...
This sounds like a incredible bad plan security wise. You have to edit apache config files and then reload or restart the apache2 server.
You could do it by editing the sudoers file to give the www-data user the right to reload apache and add a vhost configuration to apache that the www-data user has writing rights on.
Second option is to fake vhosts via php:
<?php
switch ($_SERVER['SERVER_NAME']) {
case "site1.example.com" :
require_once 'some_config_for_site_1.php';
// load scripts from site1 folder.
break;
case "site2.example.com" :
require_once 'some_config_for_site_2.php';
// load scripts from site1 folder.
break;
default:
http_response_code(404);
break;
}
Ok, this is a really bad plan for this, but somehow this is the best solution for this.
To do this in a proper way, I'll use the bash script, and I'll call that script from PHP.
$output = shell_exec("sudo /path/to/script/script.sh $SiteName $Domain");
script.sh
#! /bin/bash
#First parameter given by calling the script
sitename=$1
#Second parameter given by calling the script
domain=$2
#Directorium where are stored files of the web app
dirlocation="/var/www/$sitename"
#Creating a new directorium
mkdir $dirlocation
#Copying the defoult files of app to the just created dir
cp -R /var/www/someapp/* $dirlocation
#Creating the new configurationg file for Apache and VHost
vhost_script="/etc/apache2/sites-available/$sitename.conf"
cat > "${vhost_script}" << EOF
<VirtualHost *:80>
ServerName $domain
DocumentRoot $dirlocation
<Directory $dirlocation>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
EOF
#Enabling the site in Apache
a2ensite $sitename.conf
#Reloading the Apache
systemctl reload apache2.service
Also in order to do this from a PHP, I need to give www-data permission for running only that script with sudo.
To do so open the sudoers file (sudo visudo /etc/sudoers) and add the following line
www-data ALL=(root) NOPASSWD: /path/to/script/script.sh
I know this is maybe not the best solution, but this is what I've found for this purpose.
Disclaimer: This is only a showcase of how to do this, also the bash script here is a really simple one.
On my development machine I have a public directory to view a test site. Sometimes I change files using command line PHP and sometimes the files are changed by Apache. This leads to endless conflicts (apache can't write because user owns its OR user can't write because www-data owns it).
I have added myself to the www-data group, but I am still getting errors.
What is the best approach here - i.e. who should own the file, what group, and what should the permissions be (e.g. 0777 - obviously not, but you get the idea).
THANK YOU
# jump into the project's folder
cd /var/www/www.my-site.com
# exec dev/build as user www-data to avoid conflicts
# (www-data has no shell configured, so you must define it via -s option)
su www-data -s /bin/bash -c "php vendor/silverstripe/framework/cli-script.php dev/build \"flush=all\""
Hey fellow programmers,
I'm working on my bachelor's project and got into a bit of a problem.
The goal is to create a web app, that can operate and modify I/O of a WAGO PLC 750-8202 (you can imagine it as some kind of industrial Raspberry PI) running an embedded linux with a lighttpd web server. I've made some C scripts that utilize DAL(HAL) functions the PLC provides.
Now I want to link it with my web application/site. I have a simple PHP page (ignore the button, it does nothing):
<html>
<head>
<title>PHP Test</title>
</head>
<body>
<button value="CLICK ME">CLICK ME</button>
<?php
echo system("kbusdemo1");
?>
</body>
</html>
The kbusdemo1 executes but doesn't use the functions provided by DAL properly, it gives me an error. If I run that script as a root, it works perfectly. I found out that the problem lies with www user rights (that my web server lighttpd uses), so I tried editing sudoers with
sudo nano /etc/sudoers
Visudo is not implemented in the PLC linux system so I had to open it directly. I changed it to the code posted below, but if I try to run the C script as lighttpd user (with su www), it still doesn't work. What am I doing wrong?
Thanks for you suggestions.
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Runas alias specification
# User privilege specification
root ALL=(ALL) SETENV: ALL
admin ALL=NOPASSWD: /etc/config-tools/get_user_info user
ALL=NOPASSWD: /etc/config-tools/get_user_info
www ALL=(ALL) NOPASSWD:ALL
# Uncomment to allow people in group wheel to run all commands
# and set environment variables.
# %wheel ALL=(ALL) SETENV: ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: SETENV: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Thank you for all your help. I got it working, I wasn't calling the script as sudo from the PHP file. And as you suggested, I changed the lines in sudoers to only allow that one particular script, so no security holes for me.
I am trying to use unlink to delete a file I currecntly have the below code:
unlink(Yii::getAlias('#webroot') . $userprofile->avatar);
The path is correct as I have used echo within the view to check and it point to the correct file that I wish to delete, however I get the below error:
unlink(/Applications/MAMP/htdocs/advanced/Final Prototype): Operation not permitted
Could this be a permissions thing in terms of not being the owner if so how can I check, do I need to do chmod on the file or some directories?
Note: Working on Mac OS X and using MAMP
Change the owner of web directory and its files to your web server user (e.g. www-data for apache).
In apache you can find the user and group on *inx systems, from httpd.conf by looking for User or Group. For example my httpd.conf file on arch linux is:
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User http
Group http
</IfModule>
So with this config you can run chown -R http:http web on root of Yii project.
If the problem was persistent, also you need to change permissions of web folder for having write rule on user and group (chmod -R 755 web may be a temporary solution for this. You must move your files to an upload folder and change permission of that to 755).
I've tried everything, so I am forced to create this post.
I have changed the htdocs folder permissions
sudo chmod 644 /Applications/XAMPP/xamppfiles/htdocs/
I have changed the httpd.conf file replacing a daemon by my user:
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User amldesign
Group daemon
</IfModule>
This happened from one day to the next...
what's happening here?