I have a server A where some logs are saved, and another server B with a web server (IIS) on it.
I can access serverA from Windows Explorer with zero problems, but when I want to access it from serverB with some PHP code, it doesn't work.
I made a python script that accesses the file from serverA on serverB. It works if I run that script from CMD, but when I run that script from PHP code it doesn't work anymore.
I run IIS server as a domain account that has access on serverA
I try to run that as LocalService, NetworkService, System, LocalUser but no success.
That script is a simple open command, so problem it's not from python.
Since you provide no example code or describe what you are doing... There are a few things to consider.
Anything running in the context of a webpage in IIS is running in a different context than a logged in user.
The first part of that is simply what file system level permissions might be different for the IIS user account. The proper way you want to handle that is by assigning the necessary changes at the filesystem level for the IIS user. Do not change the IIS user if you do not understand the ramifications of doing that.
The next part is that certain operations cannot be done in the context of the IIS user account (regardless of account permissions), because there are certain things that only a logged in user with access to the console/desktop can do.
Certain operations called from IIS are purposely blocked (shell.execute) regardless of permissions, account used, etc. This occurs in versions of IIS in Windows Server 2008 and later and is done for security.
Resolved.
Uninstall IIS and use XAMPP.
No problem found till now, everything works okay.
So use XAMPP/WAMP!
Related
I'm using Windows 7 x64 Enterprise, IIS, and PHP 5.6.32 in my development environment. My application's website has the following settings:
Anonymous authentication: disabled
Windows authentication: enabled (Negotiate, Negotiate:Kerboeros, NTLM)
App Pool: domain account.
Other than the default PHP extensions, I have Microsoft's PHP SQL Server driver (3.2 version) used in Windows Authentication mode.
My production server is the same setup running on Server 2008 R2.
I am needing to use exec(), shell_exec(), etc. to execute an executable (pdftk if it matters). However, whenever I use any of these functions, I always get "Unable to fork XXX" in the PHP error log. I've tried runing whoami, ping xxx, and other simple commands with the same result. None of the typical shell functions will work--they always result in the same error. I have checked my php.ini file and verified those functions haven't been disabled.
However, in my production environment, I do not have this problem, and I have no clue why. It only seems to be affecting my development environment. During my research, I did stumble across this (http://tech.trailmax.info/2012/12/php-warning-shell_exec-unable-to-execute-on-iis-7/) which, for some reason, does fix my problem; but, it completely breaks my SQL Server Windows authentication (which I need).
I have also disabled my antivirus in hopes maybe it was the culprit. It was not.
While doing more troubleshooting, I did find that proc_open() does work. We are using Prince for generating PDFs and I noticed it was working, while my exec() wasn't. When I looked at the Prince class, I discovered it was using proc_open() which explains why it seems to work.
Does anyone know why exec() and the related functions seem to work without issue in my production environment and not my development environment? And why does proc_open() work but the other shell functions do not? Thanks!
Check the permissions on file 'C:\WINDOWS\system32\cmd.exe'.
You need read/execute permission on this file.
I would recommend using the sysinternals Process Monitor 'procmon.exe' to confirm the user that is trying to run 'cmd.exe'.
Filter on 'Process Name' is 'php-cgi.exe' and 'Path' ends with 'cmd.exe'. Look at the event properties for the task with the access denied error, and it will show you the 'Impersonating' user name. This is usually the 'Internet Guest Account', often 'NT AUTHORITY\IUSR'.
I wanted to post an update to this since I figured out the issue. The answer can be found here in the very last post by 1heer2351 at zonnet dot nl1:
Located the problem and have been able to fix it.
I am using a special user for my Application Pool (say AppPoolUser),
so PHP runs as this user. The new exec function uses
CreateProcessAsUser() with impersonation. This means that the
AppPoolUser must have the right to change the process level token.
You can assign this right to the user in the "Local Security Settings"
-> User Rights Assignment.
I have granted my AppPoolUser the "Replace a process level token"
setting -> fork error has gone.
Thought this might be useful information, so access is required to
cmd.exe but in addition the "Replace a process level token" setting.
This is exactly what I did. I had created a new App Pool User using my domain account. By default, the Replace a process level token setting includes DefaultAppPool. Since I created a new App Pool User, it was not included in this policy setting. Adding the App Pool User I created resolved my issue.
i have used simple PHP script to execute exe file through php script, below is my PHP code
<? exec('"C:\Windows\notepad.exe"');?>
my problem is, when i check task manager after executing above code, notepad.exe is there but it is not diplaying
same way if i execute below mentioned code
<? exec('"C:\Program Files\WinSCP\WinSCP.exe"'); ?>
task manager shows WinSCP.exe, but winscp is not diplaying
can anyone tell me why applications are not showing ?
Whatever your web server is (Apache, Nginx, IIS...) it's clearly not configured to run with the credentials of your administrator user account. That's the sensible default. Background services are designed to run unattended.
You have several choice, from worse to better:
Kill security in your web server configuration. If web server runs as service, open Windows Service Manager and configure it to run with your account (don't forget to come back here if you change your password in the future). This way you allow any stranger in your computer, local network and/or internet to run programs in your name, in this case Notepad and WinSCP.
If the web server allows it, run it from a command-prompt in your own session. It's similar to #1 but will at least not run 24/7.
Any of the above, with a restricted account.
Don't use a web server. PHP can run from the command-line just fine, what means that you can even create a *.bat file and assign an icon to it.
As about your code, when it finally works your script will sleep until you close Notepad. This can be a bug or a feature depending on your needs.
Had the same problem with WAMP 2.4 & windows XP, the following helped:
Win+R, services.msc
edit wampapache and wampmysqld to allow affecting desktop.
Alternatively you can try:
Win+R, services.msc
edit wampapache and wampmysqld to log on as the same user.
I have a strange problem.
I am working with Windows software that is written by me, and a third party.
The third party has created an installer. This installer runs requests admin rights programmatically. This installer also installs Apache as a Windows Service. Because the installer is running with admin rights, we expect the Apache Windows Service to run with admin rights.
The problem that we are seeing is that we get different results from a php script running on Apache, depending on how Apache is launched.
If Apache is running as the Windows Service, installed via the installer mentioned above we get the wrong result. If Apache is started from the cmd prompt (which starts as User Administrator) then the php script gives the correct result.
Can anyone suggest what could be going wrong?
NB. The php script is running CutyCapt.exe (an website to png capture utility).
The Apache Service, regardless of how it was installed, always start under the "LocalSystem" account (unless you change it afterwards).
On the other hand, when you start the Apache process via the command-line, it starts under the same account you are running the command-line (cmd.exe) with.
My guess is that either LocaSystem has no access to the Desktop which this app might require, or it can't execute the exe... Check Apache's and PHP's error logs. Also check Windows Event Logs.
The installer needs admin rights in order to make modifications to the system (e.g. write to the HKLM registry keys shared by all users).
It does not automatically imply that the installer configures the services being installed to run under an account with admin rights.
There is one big difference between services and "normal" applications started from the command line and it is that services don't have access to a "screen" where they might show some messages. And services don't have access to some usual places, like user's storage for temporary files etc. as they run in an environment with sort-of "no user logged in".
What exactly is the problem can not be guessed without knowing more precisely what is the "wrong result" that you receive.
This Starting a Windows service in an interactive session answer may provide some additional hints.
I'd first check phpinfo() and the environment variables and then check requirements of the CutyCapt.exe. e.g. the fact that user's temporary file storage is not accessible by default and registry values can not be read freely was a problem I've already seen
For an Windows+Apache+MySQL+PHP installer with 0-problems I'd recommend Bitnami's WAMP stack https://bitnami.com/stack/wamp, self contained, portable style
I upvoted rightstuff's answer. One additional thing to try. Go to Control Panel => Administrative Tools => Services. (Or just type "services.msc" after pressing WIN+R to bring up the Run dialog.)
From the Services management screen, right click on the Apache service. Then go to to the LogOn tab. Specify the account and password you want the service to run under.
I have set up a LAMP Web Server and I am looking to run an application on the server side when the client clicks a button on the servers web interface. This application will look for a certain USB Device, by Serial Number, open it up and send a packet of bytes to the device.
I have an index.html, which only has a button with an action to call my test.php file which uses shell_exec() to call my application.
When the application is invoked through the web interface, the application writes out an error indicating that it couldn't open the USB Device (this a built in error for this application, so the application works, it just can not locate the usb device).
But when I invoke the application via the Terminal, the application finds the usb device and writes to it no problem.
I am looking for some advice! Simply is what I'm doing feasible? If so, how can I get the application to find the usb device when invoked via the web interface? I have a feeling it has something to do with permissions, you never know.
test.php:
<?php
echo shell_exec("/home/pi/FDTI_test/FDTI_test_application");
?>
NOTE:
The usb device is connected, works great with its driver, and is connected to the server via usb.
The application works when invoked via the terminal on server side, but not when invoked via web interface.
I think your on the right track with this being a permissions issue.
In a typical LAMP stack, the php process runs as a module in the apache process, unless you've configured it differently. In my server OS of choice, the php process runs as the user 'www-data' by default.
Probably the easiest solution would be to give sudo permission to your web user account, and set the sudoers file to NOPASSWD. This is very insecure, so only do this in rare cases.
<?php echo shell_exec("sudo /home/pi/FDTI_test/FDTI_test_application"); ?>
The next easiest option is to give the web user account permission to write to the USB device directly. Depending on your distribution, you may only need to add the user to the 'adm' group.
sudo usermod -a -G adm www-data
Again, this may not be the most secure method, but more secure than the first option.
Lastly, you could look into the hardest solution which would be to install a patched version of apache which allows suexec. This is about as equally as insecure as the second option, but much more difficult to implement. (I would have included a link to a tutorial, but I'm limited to 2 links as this is my first answer.)
Hope This Helps!
i read so many similar questions but nothing works with me
im using wamp 2.2 ,Apache 2.0 , PHP V5.3.8
safe_mode=off - disabled_functions deleted from php.ini i'm trying to exec
exec("chrome.exe google.com");
nothing happens and when i try
exec("calc");
the windows shows weird message to execute calc in different user although i changed the user for the apache service to Administrator and i verify the user using
exec("whoami");
where is the problem?
Environment path for CMD and php shell might not be the same.
You either have to give entire path of the file, or export the path of chrome.exe in php first
Also, I believe that chrome.exe opening a page requires XServer, php can't open graphical interfaces in shell. These commands are not passed to actual shell as a parent, so php file can't "launch" applications for you.
Please read specifics of the exec function:
PHP exec Reference
Also try adding 2> errors.txt to see what are the errors if any in the execution of the programme.
--
The program needs to know what X server to connect to, and it needs to have permissions to connect to that server. You specify the X server with the DISPLAY environment variable; this will usually be set automatically if you are running the PHP program from a terminal in
X, or from a GNOME panel or something similar; however, if you are running the PHP script in some other manner, it likely won't know what X server to connect to.
X has various ways of specifying permission to connect to a server, but the most common one is using a file called ".Xauthority" in the users home directory. Because only the user who is logged in at the X server can read this file, they are the only user who can run GUI programs. So, if you start the PHP user as the same user who is logged in at the X server, you shouldn't have any problem with permissions. However, if the PHP program is running as a different user, you will have to give that user permission to access the X server.
Reference: http://bytes.com/topic/php/answers/838364-cant-launch-graphical-apps-php-exec-ubuntu-8-04-system
(I know that link is for linux and won't have exact same solution for Windows, but exec() still needs to know which X interface to refer to)
Stop Apache running as a service.
When windows runs a service it it is not running directly as the user that started the server or manages due to this it could well be starting chrome in a service environment so you wont see it load on your desktop there are 2 ways to get around this
Stop apache service browse to your apache directory and run httpd.exe manualy then try your script it should work or if it is not required to be running though a web request so it not using anything from the browser you can allow it to work with c:\wamp\php\php.exe yourfile.php (your php path should be replaced for c:\wamp\php)
Try PHP script?
<?php shell_exec('notepad.exe');?>
It's working.