I try to execute a ping command with the user www-data
$command = 'ping -c 4 www.stackoverflow.com 2>&1';
$result = shell_exec($command);
But i always get ping: icmp open socket: Operation not permitted.
So i tried to allow the command by executing visudo and adding this line:
www-data ALL = NOPASSWD: /bin/ping
Then i restarted apache2 and tried it again, but i still get Operation not permitted.
How can i solve this?
The use of setuid, that provoques that ping is executed with the user of the ping itself (root) and not the user who launches the command (here www-data), is an old way to solve this problem, and not the best one today.
See this post. Recent linux distribution use kernel capabilities to solve that. Run getcap /bin/ping, it should return: /bin/ping = cap_net_raw+ep.
If not, you can manually set the capabilities. Run, as root:
# setcap cap_net_raw+ep /bin/ping
Or, more elegant, re-installe the appropriate package. In Debian distributions and derivatives, this is iputils-ping.
Related
Hoping someone can help me out here. Trying to run any command using exec() returns 126 and displays the same error message. I've narrowed it down to this pretty minimal test case.
root#test:~ $ sudo -u asterisk php -r 'exec("ls /", $out, $result); var_dump($result);'
sh: /bin/ls: Permission denied
int(126)
root#test:~ $ sudo -u asterisk ls /
bin boot dev etc home lib lib64 lost+found media mnt opt proc root sbin selinux srv sys tmp usr var
root#test:~ $ su -lc 'php -r '\''exec("ls /", $out, $result); var_dump($result);'\' asterisk
This account is currently not available.
SELinux and PHP safe mode are not enabled
permissions are fine on /, /bin/, and /bin/ls
asterisk is a system user created with this command: adduser -d /var/lib/asterisk -M -r -s /sbin/nologin asterisk
it works fine via Apache, which runs as this user
Every attempt to run any command returns permission denied and 126 as $?. The PHP config is pretty much as it shipped (Scientific Linux 6.7, PHP 5.4 via Remi package.)
Would appreciate some assistance (preferably the kind that would require some arcane knowledge, not the kind that means I missed something blindingly obvious!)
Edit: I can get it to work using su if I give the user a login shell:
root#test:~ $ usermod -s /bin/bash asterisk
root#test:~ $ su -c 'php -r '\''exec("ls /", $out, $result); var_dump($result);'\' asterisk
int(0)
However, this isn't my code so changing all the use of sudo to su is not likely to happen. Also, there shouldn't be anything stopping PHP from running this without a login shell.
You probably have enabled sudo option NOEXEC.
When this option is active, you can run command with high privilege, but cannot spawn other commands. This is (AFAIK) required to avoid an exploiter to gain a shell. Since you are using the asterisk user, this also makes much sense.
In your case, PHP command is granted the execution as asterisk user, but when it tries to spawn with exec, the command cannot be executed and it returns 126.
EDIT (as in comment below)
Adding this line to sudoers will solve this issue:
root ALL = (ALL) EXEC: ALL
Your account doesn't have permission to run bash commands.
As you know int(126) return the status of the executed command. From the bash man page:
If a command is found but is not executable, the return status is 126.
Try running ls directly from your asterisk user to see if it works.
If it doesn't work then check the permissions on your asterisk user and see if you have the necessary permissions. If you don't have the permissions, just use chmod to give your asterisk user permission. You should also try and create a new user and see if this command works with that user.
Edit: Since your asterisk account does not have a shell, you cannot execute shell commands from it.
Coming back to provide another answer to my own question a couple of years later. As the accepted answer supposed, I had set this in my file:
Defaults noexec
And I fixed this by overriding it for the root user.
But a better solution would be to apply the defaults only to the targeted user:
Defaults:admin noexec
This way the setting would not have affected the asterisk user I was having problems with in my question!
I have CentOS 7 with PHPFPM and Nginx (both installed from source, not yum). Nginx and PHP running on www-data user and group. Now I create a PHP file with this content:
exec("adduser myownuser");
This PHP file work successfully if I run it in the CentOS console as root. But when I want to run it in my webserver root, nothing happens and the script run as www-data..
What is the problem ?
You need to add apache to sudoers, without password required.
also you need to execute the adduser via a one line script, you can't set it's password otherwise.
Here's my implementation
$ccmd = "nohup sudo useradd -d /home/user -p $(openssl passwd -1 " . $thepassword . ") username &";
exec($ccmd);
I added this to my sudoers file
apache ALL=(ALL) NOPASSWD: ALL
depending on your distro, your apache user may differ. To find out what apache's username is, you can echo exec("whoami");
Before people start yelling at me, it's best to only allow apache sudo access to the one command you need. Either that or add apache to a group and assign that group to that command. I won't explain how to do that here, you can search because there are threads about this everywhere
I have been trying to execute a script using shell_exec() function in php:
I've written the following lines of code:
$command = "bash /path/to/my/script/ funciton_name() 2>&1";
echo shell_exec($command);
Inside the shell script I'm doing:
sudo rsync -avvc /source/path /destination/path
On executing this on the browser, I get the following error message:
sudo: no tty present and no askpass program specified
When I execute the same shell script on my server, it executes fine.
When I went through similar questions posted on this forum, I realised that I had to add the NOPASSWD line on my server which I found out has already been added in the following format:
User_Alias NOBODY=nobody,apache
NOBODY ALL=(ALL) NOPASSWD : /path/to/my/script
Also when I do:
echo shell_exec("whois");
I get the output as:
apache
Any assistance in overcoming this problem would be of great help.
sudo will require a TTY, even if you have set up it up to be passwordless, unless you explicitly do not require it. But as #Cfreak pointed out, it would be much better (simpler and safer) to avoid sudo by setting correct access rights (read it before continuing) in the first place.
rsync itself will not require root permissions on a sanely configured *nix install. To verify this, you can check that type -a rsync doesn't print anything weird like rsync is aliased to `sudo rsync' and that ls -l $(which rsync) prints sensible permissions (at least rx for everyone).
I would like lauched a command in php over my RPI.
The command is echo 'standby 0' | cec-client -s, it's work fine in ssh my Tv shutdown, but in php echo shell_exec("......") return adapters autodetect FAILED ... But also mkdir doesn't work with sheel_exec, so i think it's probably PATH problem, but i don't know how to fix it. My PATH in ssh is /usr/local/bin....... and in php is /sbin:/bin:/usr/sbin:/usr/bin .
How i can fix it. Sorry for my english ...
I tried the same and got a message saying "failed to open vchiq instance". I found a question on Raspberry Pi StackExchange suggesting to add the user to the "video" group. I did that with usermod -a -G video www-data and then restarted apache with /etc/init.d/apache2 restart. Then I was able to use cec-client from PHP and apache.
It is permissions problem. While running command via ssh you executing it as user pi(probably), but via shell_exec you execute command as user www-data which do not have necessary permissions. You can check this by running echo shell_exec("whoami");
You can easly fix this by adding line "www-data ALL=(ALL) NOPASSWD: ALL" into your "/etc/sudoers" file and then run "echo shell_exec("sudo echo 'standby 0' | sudo cec-client -s");", hovewer this will add to the user www-data all of the sudo permissions and it is very unsecure, but it will work. If you want to do it more secure way you need to find which permissions cec-client required to run properly and then add them to user www-data.
I am running Apache on my localhost. From a PHP script run as www-user I would like to control Rhythmbox playback on my machine. So far I have a simple command in my PHP script:
exec('rhythmbox-client --pause');
This works great when I run it from the command-line as me, but if it runs as www-user I guess rhythmbox-client doesn't know/can't access my instance of Rhythmbox.
Is there an easy way for that PHP script to run as my user rather than www-user, or to tell rhythmbox-client which instance to control?
The overall application is that when my phone goes off-hook it calls my PHP script which pauses music, and resumes playback when the phone is on-hook. I love VoIP phones!
Solution:
Thanks to Carpetsmoker and Tarek I used sudo as the answer but there was a couple of problems. To overcome them I did the following:
Created a bash script to call rhythmbox-client. This bash script was executed using sudo in PHP as described in the answer below. Unfortunately rhythmbox-client didn't know what environment to control, so the bash script looks like this:
#! /bin/bash
DBUS_ADDRESS=`grep -z DBUS_SESSION_BUS_ADDRESS /proc/*/environ 2> /dev/null| sed 's/DBUS/\nDBUS/g' | tail -n 1`
if [ "x$DBUS_ADDRESS" != "x" ]; then
export $DBUS_ADDRESS
/usr/bin/rhythmbox-client --pause
fi
Now that bash script can be executed by PHP and wwwuser, and my phone can pause/play my music!
One solution is using sudo(8):
exec('sudo -u myuser ls /');
You will, obviously, need to setup sudo(8) to allow the user running your webserver to invoke it. Editing the sudoers file with visudo(8), you can use something like:
wwwuser ALL=/usr/bin/rhythmbox-client
To prevent Apache from being able to run other commands and only the rythymbox command.
In my case, the solution came this way:
Added this lines to sudoers file:
myuser ALL=(ALL) NOPASSWD: /usr/bin/prlctl
_www ALL=(ALL) NOPASSWD: /usr/bin/prlctl # IMPORTANT!!!
The EXEC() command in PHP was changed to:
exec("sudo -u myuser prlctl list -a", $out, $r);
If a process can be run by any user it can be run by PHP. Example is fortune command
-rwxr-xr-x 1 root root 18816 Oct 1 2009 /usr/games/fortune
Look at the x permission for every user. But this some times doesn't at all work and you may have to let the user, www-data or apache etc, run the program. You can sudo www-data and try to run the command. If it works then Apache/PHP should be able to run it.