I have a WebHook configured to commuticate with Telegram Bot, and I want to run some root commands when bot command arrives. As we know the Telegram Bot sends https request to our web hook, so I can only run shell script as www-data user. But I actually want to run it as root.
My script kill.sh:
#!/bin/bash
kill -9 $1
From php I run:
exec('kill.sh ' . $pidFromTelegramMessage);
Rights:
$ ls -al kill.sh
-r-xr-x--- 1 root www-data 24 Dec 16 15:27 kill.sh*
I even tried to put this script in /tmp directory but i does not work either. A always gets:
/tmp/kill.sh: 3: kill: Operation not permitted
I found only one way to do this. I put this line into /etc/sudoers by run visudo command:
www-data ALL = NOPASSWD: /bin/kill, /usr/bin/tail, /tmp/run.sh
Add execute permissions to /tmp/run.sh:
chmod a+x /tmp/run.sh
Now you can run these three commands as www-data user:
sudo kill -9 32233
sudo /tmp/run.sh
But you must think twice before allow anyone execute /tmp/run.sh script.
Related
this is for Amazon EC2 linux.
I have a PHP script that runs a shell script.
So inside the shell script is a command to run node.
When I run the PHP script from the command line, the node executes.
When I run the PHP script from the browser, I get this message in the apache log:
/home/ec2-user/.nvm/versions/node/v8.11.3/bin/node: Permission denied
This is after doing a chmod 777 on /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
I also did chown ec2-user:apache /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
Also, here is the result of:
$ ls -alrt /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
-rwxrwxrwx 1 ec2-user apache 34800111 Jun 12 22:40 /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node
Everyone has full permissions on it, how can I be getting a "Permission denied" error?
So again this works perfectly if I run the PHP script from the command line.
Ok this is a total no-no but it's temporarily a hack.
Since this is running on my AWS EC2 instance, I simply restrict everything via the security group and only allow the I.P. addresses I allow, so it's safe for me.
You have to add the permissions to the apache group in the sudoers file.
So, first:
$ sudo visudo
And then add:
%apache ALL = (ALL) NOPASSWD: ALL
To the end of the file. Again, it's bad, it's a hack, but it's a current workaround and I restrict access to the EC2 instance via the I.P. addresses in the security group anyways.
If you want to run this then you can go to /etc/sudoers and make apache as your sudo user and it will have root privileges to run the file in the browser.
The changes you will have to make are :-
First find the line
root ALL=(ALL) ALL
and then add the line below it
apache ALL=(ALL) NOPASSWD: ALL
I found my crontab scripts do not work as expected because they cannot write on /var/log. I tried executing command:
sudo /usr/bin/php /var/www/html/iPhone/inarrivo/php/rome/process.php >>
/var/log/romeLoading.log 2>&1
by hand and got:
-bash: /var/log/romeLoading.log: Permission Denied
/var/log permissions are:
drwxr-xr-x. 13 root root 4096 15 ago 16.20 .
If I conversely execute:
sudo touch /var/log/loadRome.log
I get no error whatsoever.
What could be the issue?
Please note Apache is not at stake: I am calling those scripts from the root crontab and from the shell with sudo as a test.
best guess: the user running the shell doesn't have write access to /var/log/romeLoading.log , and the stdout redirect (>>) is redirected by the shell user, not the sudo user, thus the access denied on >> , but not on sudo touch. maybe try
sudo sh -c '/usr/bin/php /var/www/html/iPhone/inarrivo/php/rome/process.php >> /var/log/romeLoading.log 2>&1'
that should run sh as root, and have the root-sh do the redirect with root permissions. untested though.
and next time you want to post permissions for debugging, post the namei -l path/to/file output, it gives much more info than stating the single file itself when debugging permission issues, as the issue can be higher up than the file itself, like the folder its in, or the folder that the folder it's in, is in, etc~ and namei gives you, recursively, detailed permission information on all of them.
It's a permissions issue as the log file belongs to root user and apache runs off www-data. Try chown www-data:www-data /var/log/loadRome.log.
I'm having trouble to run a bash file using PHP.
PHP File :
chdir('/var/www/PATH/inc/bash/');
exec('./status.sh argument, $output);
Bash File :
#!/bin/bash
echo 'test' >> /var/www/PATH/inc/bashOutput/test.txt
PHP File (ls -al handler.func.php) :
-rw-r--r-- 1 root root 461 Jul 5 11:35 handler.func.php
Bash File (ls -al status.sh) :
-rwxr-xr-x 1 root root 255 Jul 5 11:39 status.sh
Script is working using through root with SSH.
I'm not a pro on Linux.
But I think it's a problem come with the file owner.
But I have already done some damages in the past with "chown" so If it is indead the problem I would prefer some guidance from more experienced people.
Thanks for you help,
Konorr.
Script is working using through root with SSH. There is the problem. When a PHP script run via a web request it usually runs as the user www-data. In anycase <?php exec('./status.sh argument, $output);?> in a security hole. Most server admins would have this disabled.
Your other option is to put sudo in your exec function exec('sudo bash /var/www/PATH/inc/bash/status.sh'). Along with running the script with an absolute path bash /var/www/PATH/inc/bash/status.sh
Why can't you run a cron on your script?
Thanks for you answer but unfortunatly it didn't worked for me.
I search a litle more about file owners.
I did few changes
I made in these change :
chown -R www-data:www-data /var/www/PATH
usermod -a -G www-data user
chgrp -R www-data /var/www/PATH
chmod 2750 /var/www/PATH
chmod 2750 /var/www/PATH/inc/bash
It wasn't yet working till I removed the sudo from the EXEC function.
So I don't know from which point my problem was already fixed.
I followed this article : www-data permissions?
Thanks for you time and in the hope it can help someone else.
I have an sh file with file-removing commands.
I run it from php like this:
shell_exec("sudo -n ./truncatefiles.sh 2>&1");
Thats works fine if I open the PHP file from browser, but doesnt work from scheduled cron tab.
PHP user: www-data
If i run whoiami from cron, returns same: www-data
I added this to my visudo:
www-data ALL=(ALL) NOPASSWD: /www/sites/..../importscript/truncatefiles.sh
Shell exec for this sh file returns (from cron):
sudo: sorry, a password is required to run sudo
Why works it dirrefent way in cron?
What should I do for get it work?
PLease try to do the following,
Try to log your output from crotab to a file,
* * myscript.php >> /var/log/myjob.log 2>&1
This way you can debug your script.
1. Also the check the user and permissions for your shell script, php file.
2. try with sudo crotab -e
I am running Apache on my localhost. From a PHP script run as www-user I would like to control Rhythmbox playback on my machine. So far I have a simple command in my PHP script:
exec('rhythmbox-client --pause');
This works great when I run it from the command-line as me, but if it runs as www-user I guess rhythmbox-client doesn't know/can't access my instance of Rhythmbox.
Is there an easy way for that PHP script to run as my user rather than www-user, or to tell rhythmbox-client which instance to control?
The overall application is that when my phone goes off-hook it calls my PHP script which pauses music, and resumes playback when the phone is on-hook. I love VoIP phones!
Solution:
Thanks to Carpetsmoker and Tarek I used sudo as the answer but there was a couple of problems. To overcome them I did the following:
Created a bash script to call rhythmbox-client. This bash script was executed using sudo in PHP as described in the answer below. Unfortunately rhythmbox-client didn't know what environment to control, so the bash script looks like this:
#! /bin/bash
DBUS_ADDRESS=`grep -z DBUS_SESSION_BUS_ADDRESS /proc/*/environ 2> /dev/null| sed 's/DBUS/\nDBUS/g' | tail -n 1`
if [ "x$DBUS_ADDRESS" != "x" ]; then
export $DBUS_ADDRESS
/usr/bin/rhythmbox-client --pause
fi
Now that bash script can be executed by PHP and wwwuser, and my phone can pause/play my music!
One solution is using sudo(8):
exec('sudo -u myuser ls /');
You will, obviously, need to setup sudo(8) to allow the user running your webserver to invoke it. Editing the sudoers file with visudo(8), you can use something like:
wwwuser ALL=/usr/bin/rhythmbox-client
To prevent Apache from being able to run other commands and only the rythymbox command.
In my case, the solution came this way:
Added this lines to sudoers file:
myuser ALL=(ALL) NOPASSWD: /usr/bin/prlctl
_www ALL=(ALL) NOPASSWD: /usr/bin/prlctl # IMPORTANT!!!
The EXEC() command in PHP was changed to:
exec("sudo -u myuser prlctl list -a", $out, $r);
If a process can be run by any user it can be run by PHP. Example is fortune command
-rwxr-xr-x 1 root root 18816 Oct 1 2009 /usr/games/fortune
Look at the x permission for every user. But this some times doesn't at all work and you may have to let the user, www-data or apache etc, run the program. You can sudo www-data and try to run the command. If it works then Apache/PHP should be able to run it.