I've been at this for two days now and haven't been able to find any way (good or bad) of doing that to work.
I have to be able of dynamically mounting drives over network from my website's pages (that part is inevitable).
I have no problems doing it directly on the console with the following command
mount -t cifs //IP-REMOTE-MACHINE/Folder -o username=username,password=password /mnt/share
Obviously trying to just do a shell_exec() of this command wouldn't work with no root rights.
I tried to shell_exec() a script in which I would switch to root user (via su or sudo mycommand) but both of them wouldn't work (never been able to succeed in doing a script who would automatically switch my user to root even with the root pwd hard coded (even if that feels an extremely bad idea I could have accepted that atm).
After that I tried to use pmountbut never found a way to access to a remote shared file (don't think it's even possible but I may have missed something here?)
All that is running on a Debian machine with apache2.
I have a wild idea...
You could set a cron to run as root that checks for mount commands from your script. The script would simply set a mount command to be processed, and when the cron gets to it, runs the mount, marks the command as processed, and writes to a log file which you could then display.
It's not safe to run sudo commands with www-data (the user for web servers in Debian).
But if you want to run sudo [command] in a php script, you must add the user www-data in sudoers: http://www.pendrivelinux.com/how-to-add-a-user-to-the-sudoers-list/
And then you can exec: sudo mount ...
EDIT: It's safer to add in visudo:
www-data ALL= NOPASSWD: /bin/mount
To allow www-data to use only sudo /bin/mount
Related
I used this tutorial (sorry, it's German) to switch my 433MHz sockets:
https://tutorials-raspberrypi.de/raspberry-pi-funksteckdosen-433-mhz-steuern/
I compiled a file that switches the sockets on and off by RC code. If I run it directly on the Pi Shell it works fine:
sudo /var/www/html/bin/RPiControl -3313
but if I run it via exec() on my PHP script, it does not:
exec('sudo /var/www/html/bin/RPiControl -3313', $output, $return);
Here's what I tried so far:
There is no return/output value
I'm using lighttpd as webserver on Raspi 3 with default Raspian
The script is located at /var/www/html
The binary is located at /var/www/html/bin (also tried the home directory)
The webserver/php seems to run under the default user "pi" (I'm wondering, on my other linux machines it used to be www-data user)
I tried to gave sudo permissions to the "pi" user (tried www-data as well)
I made the "Pi" User owner of the PHP script(s) and the binary
I chmodded the PHP scripts with 777
I already tried this: sudo in php exec()
I guess it's a permission issue to use "sudo" with PHP execute. If I try sudo la la it's not working as well.
How can I allow the binary to be executed without sudo, or allow PHP to use sudo?
Thanks in advance.
Is there a way to allow the binary to run without sudo?
I tried setting the SUID Bit (chmod u+s) bit it didn't work as well
If you set the SUID bit the executable runs with the same right of the user that owns the executable.
So if the executable file is owned by user hello the executable will run with the access rights of the user hello and if the file is owned by the administrator (root) it runs with administrator rights.
Therefore you first have to change the owner of the executable file before you set the SUID bit (if the SUID bit is already set it will be removed and must be set again):
sudo chown root:root /some/file/name
sudo chmod u+s /some/file/name
If the executable calls another executable (it starts other executable files using exec) the other executable will by default not be executed with changed access rights.
For this reason you cannot use the SUID bit for shell scripts...
This behaviour can be changed using the following line of code in the source code of the file which has the SUID bit set (if the program is written in C or C++):
setreuid(geteuid(), geteuid());
(Which requires the following header #include line:)
#include <unistd.h>
I want PHP to be able to create a folder in a folder where it does not have access. The created folder should in the end be owned by the user virtual and the group virtual.
I have tried added the following to visudo.
virtual ALL=(ALL) NOPASSWD: /var/mail/virtual
_www ALL=(ALL) NOPASSWD: /var/mail/virtual
With that I try the following command from php with exec();
sudo -u virtual mkdir /var/mail/virtual/test.com
The command works when executed through a terminal, but not when called through php.
Anyone able to tell me where i went wrong?
The server is running Ubuntu 14.04 LTS
I made it work, somehow.
Changed the visudo to
www-data ALL=(ALL) NOPASWD: /var/mail/virtual, /var/mail/virtual/dir.sh
Placed the script dir.sh in the folder and changed the command in the PHP part to
sudo /var/mail/virtual/dir.sh $dir
There are a number of things going wrong here.
Entries in /etc/sudoers specify commands that can be run, not directories that can be accessed.
There is generally no _www user on Ubuntu systems. That username is an artifact of Mac OS X.
The first user in the command line is the user that is being allowed to invoke sudo, not the user that they can run the command as.
A more appropriate solution here would be:
www-data ALL = (virtual) mkdir /var/mail/virtual/*
There are still some subtle vulnerabilities in this command specification (it's possible to escape /var/mail/virtual and create directories in other locations where virtual has permissions), but it's much more secure than what you've come up with.
So I want to execute the following command in my php script:
exec("/path/to/command");
Because it is the www-data user who runs php scripts, i currently can not run this command.
I have read something about suexec being able to run a command as if it was a different user. I find it rather difficult to understand how this works.
I have already installed suexec and edited the /etc/apache2/suexec/www-data file and added:
/home/user_to_run_command/script.php
I have also edited /etc/apache2/sites-enabled/000-default and added:
SuexecUserGroup user_to_run_command user_to_run_command
Am I missing anything?
suEXEC will work only when PHP is executed in CGI mode but not if PHP is running as an apache2
module. I guess you are running it as a module.
An alternative might be to transfer the ownership to the desired user and then set the suid bit:
chown desired_user your.program
chmod u+s your.program
Now when executing your.program it has permissions as if it where executed by it's owner. Follow the wiki article that I've linked for more information.
Side note: This will work with binaries only (not with shell scripts as they where executed by the shell binary which has no suid bit set)
I had the same problem and finally found a solution which as far a I can see is both safe and simple. A disadvantage of this method is that you have to take care of security updates when they are published.
What we are gonna do is make our own special shell which we chown and SUID to the user which we want the task to perform. To remain safe this user should be just an ordinary user without extensive system rights and place the script somewhere others are not allowed. Now we let php execute a script which uses this special shell and all command within this script will be executed as the chosen user.
In practice:
sudo mkdir /usr/lib/specialshell
sudo chown user_who_may_run_command:root /usr/lib/specialshell
sudo chmod 700 /usr/lib/specialshell
sudo cp /bin/perl specialperl
sudo chown user_to_run_command:usergroup_to_run_command specialperl
sudo u+s specialperl
sudo mv specialperl /usr/lib/specialshell
Now we make a script named command.script containing:
#!/usr/lib/specialshell/specialperl
$ENV{"PATH"} = "/usr/bin";
system("/path/to/command");
and from php code we use:
exec("/path/to/command.script");
et voila, no code change, just the name of command in php.
edit: works only with perl as shell, so changed bash to perl and put the shell somewhere safe
I need to execute a bash file from a php page, with exec() function. The problem is that in this bash file, there's the command "adduser" ... Witch is a sudo command. I had the idea of modifying the sudoers so the user that run the script would have access to it, but who is this user ? I know apache2 is executated with www-data user...
Thanks!
You can find out which user PHP is running as by using system to run the command 'whoami' and display the output.
system('whoami');
That seems like a rather bad plan, giving the www-user sudo access. But yes, its www-data (by default, depending on linux flavor) that apache runs under.
I've been trying to figure out how to do this the whole day.
The short version: I have to manage some virtual machines using php shell_exec function, so far I cant do this because apache is run by the user www-data and virtualbox by the user vboxuser
From what I've read so far, I've thought of 3 possible solutions:
1.- Create a script on my vboxuser that I can call from php to manage the Virtual Machines.
2.- Change the apache user from www-data to vboxuser so I can manage the Virtual Machines through php
3.- Reinstall VirtualBox, this time using www-data as my user.
I'm not sure if any of these will work and I'm not too sure of which would be the best solution. Any suggestions/ideas?
Thanks in advance.
Now the longer more detailed version:
I have a remote server running Ubuntu 10.04.2, in that server I have set up VirtualBox so I can run several instances of WinXP to perform different tasks.
Everything is setup and I can manage the virtual machines through SSH. If I want to run them as a different user than the one that created them (a user that so far only has been used to create the Virtual Machines) I have to do sudo -u vboxuser.
Now, I need to create a PHP script to manage these virtual machines (I know about phpVirtualBox, but it's not what I need). If I try to run the virtual machines using shell_exec() from php, I get no answer at all (And I have tested that shell_exec is working on my server).
you can configure sudo to allow www-data to execute commands as vboxuser
use sudo visudo to add a line to /etc/sudoers like
www-data (ALL) = (vboxuser) /usr/bin/vboxmanage
check man sudoers for more information
To change the apache user, you can edit:
/etc/apache2/envvars
And change APACHE_RUN_USER=root
Or you could execute it from root's cron
sudo crontab -e
HTH