I think that it's a permissions problem, because in my script
there are some commands that need root privileges to execute
I added www-data to sudoers hoping it would solve the problem
and did
exec("echo \"passwd\" | sudo -S ./myscript");
in my php but it didn't work.
Thanks
You could use shell_exec().
shell_exec("echo \"passwd\" | sudo -S ./myscript");
But I'm not sure if it'll work with sudo.
Also I would like to say that adding www-data to sudoers is very dangerous.
Related
I am using ubuntu server 20.04 LTS, where I have multiple shell files, using php from apache I need to run multiple shell files from a browser but need to run as root.
I have tried the command shell_exec and added sudoers (www-data) and none works, which I can put in the code to enter as root and be able to execute the shell script.
<?php
$code = shell_exec('echo "passwd" | sudo -u root -S sh /home/user/name.sh');
echo "<pre>$code</pre>";
?>
Because your are executing this script as www-data and www-data doesn't have the required privilege to execute any sudo commands.
You can try the following steps.
Modify www-data in /etc/sudoers to be able to execute a script as the superuser. This is a sensitive file and you have to use visudo as the editor to make the changes.
$ sudo visudo -f /etc/sudoers
www-data ALL=(ALL) NOPASSWD: /home/user/name.sh
This will allow www-data to execute the script as the superuser without a password.
In your PHP code change the command in your shell_exec() as follows:
$code = shell_exec(sudo sh /home/user/name.sh');
Make sure your name.sh is set up with proper file modes to protect yourself.
I'm making a PHP page with the purpose of creating and activating Apache VirtualHost files.
The pages generates the files and places it in /etc/apache2/sites-available/. After that a shell script is called by with:
shell_exec("/bin/sh /usr/local/bin/myscript.sh");
myscript.sh:
#!/bin/sh
file=$(ls -1t /etc/apache2/sites-available/ | head -1)
a2ensite "$file" 2>&1 >/dev/null
service apache2 reload 2>&1 >/dev/null
sleep 5
The script seems to be executed (the sleep time corresponds to the amount of time it takes to run and if I don't use 2>&1 >/dev/null I get the output from a2ensite).
But the site is never enabled.
It works fine if I run the script from terminal, so I'm guessing it's some sort of permission issue. I've been playing around with sudoers and file permissions for two days now, but always with the same results.
Been adding stuff like
www-data ALL=NOPASSWD: /usr/local/bin/myscript.sh
and chmod 777 for testing purposes, but nothing.
Is there any definite way to do this?
I'm running Ubuntu 16.04 and PHP7.
I think its because www-data don't have the right to execute the service and a2ensite commands.
Try this :
#!/bin/sh
file=$(ls -1t /etc/apache2/sites-available/ | head -1)
sudo a2ensite "$file" 2>&1 >/dev/null
sudo service apache2 reload 2>&1 >/dev/null
sleep 5
And then, edit the sudo file with sudo visudo and add
www-data ALL=NOPASSWD : /usr/sbin/service, /usr/sbin/a2ensite
I think you need a dot in between:
shell_exec('/bin/sh' . '/usr/local/bin/myscript.sh');
Also, I am using single quotes... as above.
or you can try:
shell_exec('/usr/local/bin/myscript.sh');
This is solved. The problem was not sudoers or file permissions. The commands were not executed correctly because Apache module mpm-itk was activated. Worked perfectly after I deactivated it.
I didn't need mpm-itk, but if anyone with similar problems needs it activated you could try this:
https://askubuntu.com/questions/491624/setresuid-operation-not-permitted-when-calling-via-php
(Thanks Myran)
I want to execute a command in PHP using exec() in my script like so but it is not working:
exec('/bin:/usr/bin/php -f /home/myname/public_html/sample_script.php | at now');
I have error reporting on and nothing reports an error. I am allowed to use the exec() function.
I ran the following command in SSH as root and it worked fine:
php -f /home/myname/public_html/sample_script.php | at now
I am on a VPS hosting plan.
My script is owned by myname and not root. Could that be why the exec() line is not working in the script?
If you need any more information, please ask.
To use the 'at' command I added www-data ALL=(ALL:ALL) NOPASSWD: ALL to the sudoers file. I also changed the exec call to exec('echo /usr/bin/php -f /home/myname/public_html/sample_script.php | sudo /usr/bin/at now').
Well, i have this program i need to run via either functions however it is located on my dekstop (this ubuntu 11.04).
I moved it to /home/Username, but no dice.
I run
$blah = exec('sudo | echo mypassword | /home/server1/program commandhere', $test);
var_dump($test);
var_dump($blah); ?>
The output is nothing.
I was told if i wanted to run it via sudo i needed to add the Apache user which is www-data to the sudoers list, i added it, but no luck again.
Basically, i've tried A LOT of things, it just wont run. Why?
EDIT:
If i paste that into the terminal it works great, just not with exec,system nor passtrhu.
Use echo mypassword | sudo -S instead.
It also depends on which user has sudo privileges. If you want to run this from the apache process, you need to give the apache user sudo privileges as well.
Also, just to clarify, the command should be:
echo mypassword | sudo -S /home/server1/program commandhere
Look into your security log. Not sure where this is on Ubuntu, possibly /var/log/secure or /var/log/messages. I'm betting that you find a message there similar to sudo requires a TTY, or sorry, you must have a TTY to run sudo indicating that sudo is configured not to work without a real interactive shell. That is, sudo won't permit you to use it in a script or to be called by an external program.
I recently dealt with this issue myself while trying to bind a Gnome keyboard shortcut to a sudo command.
If this is the case, you'll need to comment out the following line in /etc/sudoers
#Defaults requiretty
My command is
echo root_password | sudo -u root -S executable_full_path arguments
The error message I get in the browser is
[sudo] password for www-data: Sorry,
try again.
From phpinfo(), safe mode is off and there are no disabled functions. Why isn't this working? The same command runs fine in the shell (bash). Escapeshellarg and escapeshellcmd don't make a difference.
EDIT: Simply being able to execute the command is not enough. The program that gets executed creates a socket in /tmp, and needs to assign it permissions. So I think I really need to be root for this, is that possible?
As Álvaro suggested, I'm putting my comment as answer. Matt, this would make it possible to run that command as root.
#Matt, don't do that /etc/sudoers (btw, you edit this file with the visudo command, never directly). That way you are making possible that any sudo whatever command run by your web application is run by root, possibiliting a lot of fun for an attacker if he founds a vulnerability in your application.
If you would like to run just ONE command as root without need for passwords, put this in /etc/sudoers (remember visudo command):
www-data ALL=(ALL) NOPASSWD: executable_full_path
Then you are only allowing to execute just this command as root. Now you should be able to do
sudo -u root executable_full_path arguments
without need to type in a password (and it will run as root). Also, this is the only command the user www-data may execute as root using sudo, so it should not be dangerous.
You're echoing the root password when you should be echoing the password for www-data.
Use this on your /ets/sudoers
Example for run gconftool-2 :
www-data ALL=NOPASSWD: /usr/bin/gconftool-2
www-data ALL=NOPASSWD: /usr/bin/sudo
www-data ALL=NOPASSWD: ALL