I want PHP to be able to create a folder in a folder where it does not have access. The created folder should in the end be owned by the user virtual and the group virtual.
I have tried added the following to visudo.
virtual ALL=(ALL) NOPASSWD: /var/mail/virtual
_www ALL=(ALL) NOPASSWD: /var/mail/virtual
With that I try the following command from php with exec();
sudo -u virtual mkdir /var/mail/virtual/test.com
The command works when executed through a terminal, but not when called through php.
Anyone able to tell me where i went wrong?
The server is running Ubuntu 14.04 LTS
I made it work, somehow.
Changed the visudo to
www-data ALL=(ALL) NOPASWD: /var/mail/virtual, /var/mail/virtual/dir.sh
Placed the script dir.sh in the folder and changed the command in the PHP part to
sudo /var/mail/virtual/dir.sh $dir
There are a number of things going wrong here.
Entries in /etc/sudoers specify commands that can be run, not directories that can be accessed.
There is generally no _www user on Ubuntu systems. That username is an artifact of Mac OS X.
The first user in the command line is the user that is being allowed to invoke sudo, not the user that they can run the command as.
A more appropriate solution here would be:
www-data ALL = (virtual) mkdir /var/mail/virtual/*
There are still some subtle vulnerabilities in this command specification (it's possible to escape /var/mail/virtual and create directories in other locations where virtual has permissions), but it's much more secure than what you've come up with.
Related
I am running an apache webserver on a virtual machine on my pc. The vm is running zorin linux. I have written a php script that writes some data to another text file in the same directory. Both files are located in /var/www/html/. I have already verified that the webserver user is www-data, and I have attempted to make that user owner of the /var/www/html directory, as well as everything within that directory. Here is the command that I have used to do this:
sudoo chown -R www-data /var/www/html/*
I have also verified that the www-data user is the owner of this directory and it's contents using
ls -dl /var/www/html/
ls -dl /var/www/html/*
both return that the owner is www-data.
Even after doing all of this, the php file is still unable to write to the file correctly. At this point I am stumped. Any help would be greatly appreciated.
I'm trying to get nightmarejs to work on my centos server and was able to do so by running xvfb-run however I need to call this command via a php exec() function.
when I do I'm just getting an empty result as though it doesn't work?
When I run it via command line (i.e. xvfb-run node my-script.js) everything works great. Any idea why it doesn't seem to work or be available to my php script?
Although Cono's answer does work, it is less secure as it gives YOUR_USER access to wheel, making YOUR_USER an administrator.
Instead, create a file in /etc/sudoers.d (RHEL/CentOS) with contents like: (presuming YOUR_USER is apache)
# Allow apache to run xvfb-run
Defaults:apache !requiretty
Defaults:apache visiblepw
apache ALL = NOPASSWD: /usr/bin/xvfb-run
This way, if the apache user is compromised they can only run the xvfb-run command.
(Answer thanks to ThirdNode)
Ok i figured it out. Basically, sudo access has to be granted for xvfb-run in order to call it via an executable script in php. To do so, log into terminal and do the following:
# sudo visudo
Make sure the wheel group is uncommented
%wheel ALL=(ALL) ALL
This means that users added to the wheel group will have access to call sudo commands
At the bottom of the file, grant your user access to the script
YOUR_USER ALL = NOPASSWD: /usr/bin/xvfb-run
Save your file and add your user to the wheel group
usermod -aG wheel YOUR_USER
finally, from your php script you can now call xvfb-run via sudo
<?php exec('sudo xvfb-run node my-script.js'); ?>
I've been at this for two days now and haven't been able to find any way (good or bad) of doing that to work.
I have to be able of dynamically mounting drives over network from my website's pages (that part is inevitable).
I have no problems doing it directly on the console with the following command
mount -t cifs //IP-REMOTE-MACHINE/Folder -o username=username,password=password /mnt/share
Obviously trying to just do a shell_exec() of this command wouldn't work with no root rights.
I tried to shell_exec() a script in which I would switch to root user (via su or sudo mycommand) but both of them wouldn't work (never been able to succeed in doing a script who would automatically switch my user to root even with the root pwd hard coded (even if that feels an extremely bad idea I could have accepted that atm).
After that I tried to use pmountbut never found a way to access to a remote shared file (don't think it's even possible but I may have missed something here?)
All that is running on a Debian machine with apache2.
I have a wild idea...
You could set a cron to run as root that checks for mount commands from your script. The script would simply set a mount command to be processed, and when the cron gets to it, runs the mount, marks the command as processed, and writes to a log file which you could then display.
It's not safe to run sudo commands with www-data (the user for web servers in Debian).
But if you want to run sudo [command] in a php script, you must add the user www-data in sudoers: http://www.pendrivelinux.com/how-to-add-a-user-to-the-sudoers-list/
And then you can exec: sudo mount ...
EDIT: It's safer to add in visudo:
www-data ALL= NOPASSWD: /bin/mount
To allow www-data to use only sudo /bin/mount
My command is
echo root_password | sudo -u root -S executable_full_path arguments
The error message I get in the browser is
[sudo] password for www-data: Sorry,
try again.
From phpinfo(), safe mode is off and there are no disabled functions. Why isn't this working? The same command runs fine in the shell (bash). Escapeshellarg and escapeshellcmd don't make a difference.
EDIT: Simply being able to execute the command is not enough. The program that gets executed creates a socket in /tmp, and needs to assign it permissions. So I think I really need to be root for this, is that possible?
As Álvaro suggested, I'm putting my comment as answer. Matt, this would make it possible to run that command as root.
#Matt, don't do that /etc/sudoers (btw, you edit this file with the visudo command, never directly). That way you are making possible that any sudo whatever command run by your web application is run by root, possibiliting a lot of fun for an attacker if he founds a vulnerability in your application.
If you would like to run just ONE command as root without need for passwords, put this in /etc/sudoers (remember visudo command):
www-data ALL=(ALL) NOPASSWD: executable_full_path
Then you are only allowing to execute just this command as root. Now you should be able to do
sudo -u root executable_full_path arguments
without need to type in a password (and it will run as root). Also, this is the only command the user www-data may execute as root using sudo, so it should not be dangerous.
You're echoing the root password when you should be echoing the password for www-data.
Use this on your /ets/sudoers
Example for run gconftool-2 :
www-data ALL=NOPASSWD: /usr/bin/gconftool-2
www-data ALL=NOPASSWD: /usr/bin/sudo
www-data ALL=NOPASSWD: ALL
I've been trying to figure out how to do this the whole day.
The short version: I have to manage some virtual machines using php shell_exec function, so far I cant do this because apache is run by the user www-data and virtualbox by the user vboxuser
From what I've read so far, I've thought of 3 possible solutions:
1.- Create a script on my vboxuser that I can call from php to manage the Virtual Machines.
2.- Change the apache user from www-data to vboxuser so I can manage the Virtual Machines through php
3.- Reinstall VirtualBox, this time using www-data as my user.
I'm not sure if any of these will work and I'm not too sure of which would be the best solution. Any suggestions/ideas?
Thanks in advance.
Now the longer more detailed version:
I have a remote server running Ubuntu 10.04.2, in that server I have set up VirtualBox so I can run several instances of WinXP to perform different tasks.
Everything is setup and I can manage the virtual machines through SSH. If I want to run them as a different user than the one that created them (a user that so far only has been used to create the Virtual Machines) I have to do sudo -u vboxuser.
Now, I need to create a PHP script to manage these virtual machines (I know about phpVirtualBox, but it's not what I need). If I try to run the virtual machines using shell_exec() from php, I get no answer at all (And I have tested that shell_exec is working on my server).
you can configure sudo to allow www-data to execute commands as vboxuser
use sudo visudo to add a line to /etc/sudoers like
www-data (ALL) = (vboxuser) /usr/bin/vboxmanage
check man sudoers for more information
To change the apache user, you can edit:
/etc/apache2/envvars
And change APACHE_RUN_USER=root
Or you could execute it from root's cron
sudo crontab -e
HTH