I have next result of command sudo -u www-data echo $PATH in terminal:
/home/denis/node-v0.12.0/bin:/home/denis/node-v0.12.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
I have next result in PHP if I run command echo `echo \$PATH`:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PATH in terminal and in PHP is different. I don't understand why.
Running the command literally as given
sudo -u www-data echo $PATH
the $PATH is expanded by your shell before doing a sudo (and show your $PATH). However, if you quoted this properly, it could be deferred into the sudo'd user, and expose a different problem.
Unless you make special provision for this (an option to sudo, which may/may not work), environment variables such as PATH are reset to system defaults when using sudo. For further discussion see
How to keep Environment Variables when Using SUDO
How do I make sudo preserve my environment variables?
Related
I have a php script running in a cronjob on the server.
However, I am unexpectedly getting different $PATH from the same user, depending on how I execute the command.
I log in as user ubuntu:
ubuntu#:$ echo $PATH
/home/ubuntu/bin:/home/ubuntu/.local/bin:/home/ubuntu/.nvm/versions/node/v12.3.1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
I then sudo su bitbucket:
bitbucket#:$ echo $PATH
/home/bitbucket/.nvm/versions/node/v12.3.1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
I execute a script from a cronjob running as bitbucket and output the following debug to a log file:
$ whoami
bitbucket
The above proves the user is bitbucket, then:
$ echo $PATH
/usr/bin:/bin
Please note I am not running as sudo. I am utilising sudo to switch user, but not using sudo to echo $PATH.
How is it that the same user has 2 different $PATH variables?
You didn't say which shell you're using so I'm going to assume it's bash. The first, and perhaps most important, thing to note is that when you run sudo su bitbucket you're getting an interactive shell. Which means that ~/.bashrc will be sourced. Lots of people modify PATH in that script. Something that tends to cause problems. Why? Because non-interactive shells, such as the one launched by cron to run your command, won't read ~/.bashrc.
Your cron job gets a PATH equivalent to running this command: sudo su bitbucket -c 'echo $PATH'. Play around with that to get a better understanding of how this works. For example, instead of echo $PATH try env.
I am trying to build PHP wrapper for PowerBI. I installed PowerBI Cli (https://github.com/Microsoft/PowerBI-Cli) on my local and when I run any PowerBI Cli command on my terminal, it is working well. It is working well even when I run the commands using the _www user (sudo -u _www powerbi config)
However, when I run them through PHP using either shell_exec or Symphony's Process Component (https://symfony.com/doc/current/components/process.html), I am getting the following exception:
env: node: No such file or directory.
I am facing this issue on Mac Sierra. The commands are working well on Linux using the PHP exec()
Try linking,
"ln -s /path/where/command/is stored/ /to/path/where u want to exec/"
Sometimes the program are stored in usr/local/bin/program meanwhile as per default you are executing in usr/bin/program
And then in shell use the new path you have set.
Example for linking suppose if you have path for command,
/usr/bin/powerbi then with above command you can link new path usr/powerbi after that you can use new path in exec or shell command.
Try using the full path rather than the command. Without knowing your exact path I can't tell you exactly what to do but it would be something like this:
$output = shell_exec("sudo -u _www /path/path/powerbi config");
var_dump($output);
Edit:
Or, change directories first. So using my example above, it would be:
$output = shell_exec("cd /path/path/powerbi; sudo -u _www powerbi config");
I've been at this for two days now and haven't been able to find any way (good or bad) of doing that to work.
I have to be able of dynamically mounting drives over network from my website's pages (that part is inevitable).
I have no problems doing it directly on the console with the following command
mount -t cifs //IP-REMOTE-MACHINE/Folder -o username=username,password=password /mnt/share
Obviously trying to just do a shell_exec() of this command wouldn't work with no root rights.
I tried to shell_exec() a script in which I would switch to root user (via su or sudo mycommand) but both of them wouldn't work (never been able to succeed in doing a script who would automatically switch my user to root even with the root pwd hard coded (even if that feels an extremely bad idea I could have accepted that atm).
After that I tried to use pmountbut never found a way to access to a remote shared file (don't think it's even possible but I may have missed something here?)
All that is running on a Debian machine with apache2.
I have a wild idea...
You could set a cron to run as root that checks for mount commands from your script. The script would simply set a mount command to be processed, and when the cron gets to it, runs the mount, marks the command as processed, and writes to a log file which you could then display.
It's not safe to run sudo commands with www-data (the user for web servers in Debian).
But if you want to run sudo [command] in a php script, you must add the user www-data in sudoers: http://www.pendrivelinux.com/how-to-add-a-user-to-the-sudoers-list/
And then you can exec: sudo mount ...
EDIT: It's safer to add in visudo:
www-data ALL= NOPASSWD: /bin/mount
To allow www-data to use only sudo /bin/mount
So I want to execute the following command in my php script:
exec("/path/to/command");
Because it is the www-data user who runs php scripts, i currently can not run this command.
I have read something about suexec being able to run a command as if it was a different user. I find it rather difficult to understand how this works.
I have already installed suexec and edited the /etc/apache2/suexec/www-data file and added:
/home/user_to_run_command/script.php
I have also edited /etc/apache2/sites-enabled/000-default and added:
SuexecUserGroup user_to_run_command user_to_run_command
Am I missing anything?
suEXEC will work only when PHP is executed in CGI mode but not if PHP is running as an apache2
module. I guess you are running it as a module.
An alternative might be to transfer the ownership to the desired user and then set the suid bit:
chown desired_user your.program
chmod u+s your.program
Now when executing your.program it has permissions as if it where executed by it's owner. Follow the wiki article that I've linked for more information.
Side note: This will work with binaries only (not with shell scripts as they where executed by the shell binary which has no suid bit set)
I had the same problem and finally found a solution which as far a I can see is both safe and simple. A disadvantage of this method is that you have to take care of security updates when they are published.
What we are gonna do is make our own special shell which we chown and SUID to the user which we want the task to perform. To remain safe this user should be just an ordinary user without extensive system rights and place the script somewhere others are not allowed. Now we let php execute a script which uses this special shell and all command within this script will be executed as the chosen user.
In practice:
sudo mkdir /usr/lib/specialshell
sudo chown user_who_may_run_command:root /usr/lib/specialshell
sudo chmod 700 /usr/lib/specialshell
sudo cp /bin/perl specialperl
sudo chown user_to_run_command:usergroup_to_run_command specialperl
sudo u+s specialperl
sudo mv specialperl /usr/lib/specialshell
Now we make a script named command.script containing:
#!/usr/lib/specialshell/specialperl
$ENV{"PATH"} = "/usr/bin";
system("/path/to/command");
and from php code we use:
exec("/path/to/command.script");
et voila, no code change, just the name of command in php.
edit: works only with perl as shell, so changed bash to perl and put the shell somewhere safe
Well, i have this program i need to run via either functions however it is located on my dekstop (this ubuntu 11.04).
I moved it to /home/Username, but no dice.
I run
$blah = exec('sudo | echo mypassword | /home/server1/program commandhere', $test);
var_dump($test);
var_dump($blah); ?>
The output is nothing.
I was told if i wanted to run it via sudo i needed to add the Apache user which is www-data to the sudoers list, i added it, but no luck again.
Basically, i've tried A LOT of things, it just wont run. Why?
EDIT:
If i paste that into the terminal it works great, just not with exec,system nor passtrhu.
Use echo mypassword | sudo -S instead.
It also depends on which user has sudo privileges. If you want to run this from the apache process, you need to give the apache user sudo privileges as well.
Also, just to clarify, the command should be:
echo mypassword | sudo -S /home/server1/program commandhere
Look into your security log. Not sure where this is on Ubuntu, possibly /var/log/secure or /var/log/messages. I'm betting that you find a message there similar to sudo requires a TTY, or sorry, you must have a TTY to run sudo indicating that sudo is configured not to work without a real interactive shell. That is, sudo won't permit you to use it in a script or to be called by an external program.
I recently dealt with this issue myself while trying to bind a Gnome keyboard shortcut to a sudo command.
If this is the case, you'll need to comment out the following line in /etc/sudoers
#Defaults requiretty