I installed an application (bagit) via homebrew and am trying to execute a shell command from my local Apache server (installed on OSX).
My PHP looks like this:
$cmd = 'bag create '.$targetFolder.' '.$sourceFolder.' --baginfotxt '.$bagInfoFile ." 2>&1";
$output = shell_exec($cmd);
However, I am getting the following error message:
/bin/bash: /usr/local/bin/bag: Permission denied
How can I give Apache access to the bash command located in `/usr/local/bin?
Your apache install will need to be running as the same user/group as the files its trying to execute.
You can either change the file permissions of the application you are trying to execute to the same as apache/php current user/group (or 777 etc..)
or you can change apache/php to run as a more priviliaged user/group.
Alternatively
You could change the method of your application to SSH into your executable environment and execute the application over SSH.
When PHP tries to exec something, it will do as the default web server user (apache, www-data or httpd). Make sure that the command to run has the right ownership / permissions. The easiest way to reach this is to add your web server user to a new group, lets say test, and chgrp test /usr/local/bin/bag
Related
I am unable to run a bash script using sudo with the shell_exec() function in PHP. I get an error saying:
Sorry, user apache is not allowed to execute '/bin/bash /var/www/html/private/createFTP.sh' as root on test.server.com.
PHP:
shell_exec('sudo bash /var/www/html/private/createFTP.sh 2>&1');
Visudo:
apache ALL=NOPASSWD: /var/www/html/private/createFTP.sh
If your web server is in chroot jail then that will cause this type of error. If you are running a chrooted server, make sure you mirror across your /etc/sudoers file to the jail filesystem too and adjust for the chroot directory structure when setting up sudoers file as well as your script will have moved once you are in chroot. Also check you have the sudo libraries and executable in the jail filesystem as well.
I'm setting up my server to listen to a webhook which is currently
shell_exec('git pull 2>&1');
Receiving and executing is working fine, except the to get it to actually replace files I need to give www-data (apache debian) permission to write all the files/folders on my webserver, right?
Currently I'm getting this as a result (no write permissions)
Updating 115da6c..9e82ef0
error: unable to unlink old 'example-path/html.html' (Permission denied)
What are the security implications of giving www-data permission to write files, and is this the right choice or am I doing things all wrong?
Another ways to achieve what you want:
sudo. Configure sudo to run the command passwordless and run shell_exec('sudo git pull 2>&1');.
Create a setuid wrapper that runs git pull and run shell_exec('git_pull_suid_wrapper');.
I've been at this for two days now and haven't been able to find any way (good or bad) of doing that to work.
I have to be able of dynamically mounting drives over network from my website's pages (that part is inevitable).
I have no problems doing it directly on the console with the following command
mount -t cifs //IP-REMOTE-MACHINE/Folder -o username=username,password=password /mnt/share
Obviously trying to just do a shell_exec() of this command wouldn't work with no root rights.
I tried to shell_exec() a script in which I would switch to root user (via su or sudo mycommand) but both of them wouldn't work (never been able to succeed in doing a script who would automatically switch my user to root even with the root pwd hard coded (even if that feels an extremely bad idea I could have accepted that atm).
After that I tried to use pmountbut never found a way to access to a remote shared file (don't think it's even possible but I may have missed something here?)
All that is running on a Debian machine with apache2.
I have a wild idea...
You could set a cron to run as root that checks for mount commands from your script. The script would simply set a mount command to be processed, and when the cron gets to it, runs the mount, marks the command as processed, and writes to a log file which you could then display.
It's not safe to run sudo commands with www-data (the user for web servers in Debian).
But if you want to run sudo [command] in a php script, you must add the user www-data in sudoers: http://www.pendrivelinux.com/how-to-add-a-user-to-the-sudoers-list/
And then you can exec: sudo mount ...
EDIT: It's safer to add in visudo:
www-data ALL= NOPASSWD: /bin/mount
To allow www-data to use only sudo /bin/mount
I installed PhantomJS on my server and it's running great from the terminal. When I try to run form PHP using SHELL_EXEC, I get the following error:
phantomjs: Permission denied
I set the executable to 777 and I just don't know what else to do. Any suggestions?
How did you install it?, and where does it live? The user you're accessing phantomjs with may not have rights to something phantomjs needs.
You should make sure that your web user (I'm assuming it's apache) has +x permission on all the directories in the path for PhantomJS.
Assuming it's /path/to/phantomjs/phantomjs, apache (or its group) need to have +x permission on all /path, /path/to, /path/to/phantomjs.
I need to execute a bash file from a php page, with exec() function. The problem is that in this bash file, there's the command "adduser" ... Witch is a sudo command. I had the idea of modifying the sudoers so the user that run the script would have access to it, but who is this user ? I know apache2 is executated with www-data user...
Thanks!
You can find out which user PHP is running as by using system to run the command 'whoami' and display the output.
system('whoami');
That seems like a rather bad plan, giving the www-user sudo access. But yes, its www-data (by default, depending on linux flavor) that apache runs under.