Using PHP's copy() function, is it possible to perform the copy using alternate credentials (a different user account)?
Currently, Iām copying files from one Windows directory to another Windows Server and was wondering if I could do this using another account than I am currently using.
No, you cannot directly manipulate the user credentials like that. Instead you will have to spawn a new process to do the copying under a different user's login.
On Linux or Mac OS X you could arrange it with the sudo command, as long as you properly set up the sudoers file (using visudo).
On Windows you can use the runas command to execute a script as a different user.
runas is the only way that I know of. Run the command using exec() and use the Windows copy command:
exec("cmd /C echo password | runas /user:username copy \\path\\to\\file \\\\servername\\path\\");
There are other switches for runas. You might look at the /no profile and /netonly.
Related
i have an application called app.exe it's create a file called account.txt in the same folder c:\ , the problem is that when i run the program from php exec function or cmd the account.txt file is not creating
i think the problem is from the permissions.
Run From: What happened
Manualy Executed and created the file account.txt
PHP exec Executed but it did't create account.txt
CMD Executed but it did't create account.txt
for php i use:
exec("C:\\windows\\system32\\cmd.exe /c START c:\app.exe");
for cmd i use:
START C:\app.exe
A program that requires elevation should specify so in its manifest. This would not help with the PHP issue though, especially if this is a web server using PHP. It is not possible to elevate without showing the UAC UI.
I'm not aware of a simple way to request elevation when executing something in Cmd. You might just have to start Cmd elevated (Right-click and "Run as Administrator").
PHP might be running as a different user but you gave us zero information about your setup so I don't know.
Without knowing anything about app.exe nor your Windows version or general configuration it is hard to give specific advise.
If you want to confirm that it as a permissions problem you can try running Process Monitor so you can see why the file operation fails.
You should be able to use the runas command
runas /profile /user:*admin user here* ā*path to program here*ā
you will then be prompted for that users password and after that it should run as admin.
I'm using IIS 6.0 and PHP and I'm trying to write a php script that automates a process to 1) create an installer and 2) digitally sign the installer. I've created a batch file that does each individually. If I go to the server and manually run the batch files, both work perfectly. If I run them via PHP, only the installer is created but it is never digitally signed. I have confirmed that:
All files referenced in the batch files have full rights for the IUSR_[COMPUTER-NAME] user.
It is not an issue with the file not being fully created yet by the first batch file. I can put the already created Setup.exe file in the folder and run only the second batch file via PHP with the same results.
The batch file is actually getting run. I've put a MKDIR command in the same batch file after the digital signing command and the folder is created.
The code I use via PHP to run the batch files is:
system('cmd /c C:\\Inetpub\\createInstallers\\step1.bat');
The create installer batch file looks like this:
"C:\Program Files\Inno Setup 5\ISCC.exe" C:\Inetpub\createInstallers\createInstaller.iss
I'm using Inno Setup to do this found here: http://www.jrsoftware.org/isinfo.php
The digital signing batch file looks like this:
"C:\Inetpub\createInstallers\DigiCertUtil.exe" sign /noInput "C:\Inetpub\createInstallers\Setup.exe"
This is done with DigiCertUtil.exe's command line feature explained here:
https://www.digicert.com/util/utility-code-signing-command-line.htm
As far as I can tell, absolutely nothing happens. I don't believe there are any error messages (but I am a little fuzzy on how to check for them). NULL is returned if I run the digital sign command via shell_exec like this:
$result = shell_exec('"C:\\Inetpub\\createInstaller\\DigiCertUtil.exe" sign /noInput "C:\\Inetpub\\createInstaller\\Setup.exe"');
var_dump($result);
Does anyone have any idea why this might not be working? Could this be some permissions issue or security limitation?
I found the underlining problem and the answer. The problem was that the certificates are imported in the user's personal store on a per user basis, so when I tried to run the DigiCertUtil program via PHP, it could not find the certificates because the IUSR did not have a personal store with the certificate to use. IUSR is a temporary user and thus does not have a personal store. There might be a way to put the certificate into the machine's store, but I could not find it.
Instead, I used PSExec to run the program locally but with a different user than the IUSR account, like this:
shell_exec('C:\\Inetpub\\createInstallers\\psexec \\\\127.0.0.1 -accepteula -u myUser -p myPassword -i cmd.exe /c C:\\Inetpub\\createInstallers\\DigiCertUtil.exe sign /noInput C:\\Inetpub\\createInstallers\\Setup.exe');
No batch files required! It would be just as easy to run a batch file as a different user though with this same methodology.
I have a PHP file in which upon clicking the submit button, another PHP script is being executed. Within the second PHP script a shell script is being executed in which an SSH connection is being done to another server.
The issue I have is that the SSH connection to another server can only be done by a particular user. However the PHP script is being executed by www-data and for such reason I cannot change user, to the user that needs the ssh connection as it requires a password each time.
I also tried to execute the shell script from the first PHP file but still with no success.
My OS is UBUNTU.
Can this be done, and if yes, how can this be achieved?
Thanks
You can use sudo command. For passing password to it, there is a -S option
Do you have the option (access and rights etc.) of using private/public keys for SSH? If yes, then your second PHP script would contain something like
ssh -l <particular-username> <hostname> -i <private_key_file>
How are you logging in? SSH requires a username. Are you providing www-data as that username or the "particular name" as the username?
If you have or can install sshpass ( http://sourceforge.net/projects/sshpass/ ) you can give that a go, it allows username+password on the commandline, example here:
https://askubuntu.com/questions/282319/how-to-use-sshpass
i am using arch linux. i want to execute the php file which changes the ip of the system. i did
ifconfig eth0 192.168.163.137
in the terminal and it works fine. the same i tried doing with
shell_exec('ifconfig eth0 192.168.163.137');
in a php file and tried opening the page from a remotely located web browser from another pc connected via router. teh page displays nothing and the code also doesnt execute. i guess its the problem with the user executing it.apache is executing it. so i want it to be run by the root.can anyone please guide me to the execution of my code. i even installed sudo and just put
shell_exec('sudo ifconfig......');
it too doesnt execute...please help...thanku..:)
Sudo normally requires an interactive shell to enter your password. That's obviously not going to happen in a PHP script. If you're sure you know what you're doing and you've got your security issues covered, try allowing the Apache user to run sudo without a password, but only for certain commands.
For example, adding the following line in your sudoers file will allow Apache to run sudo without a password, only for the ifconfig command.
apache ALL=NOPASSWD: /sbin/ifconfig
Adjust the path and add any arguments to suit your needs.
Caution:
There might still be complications due to the way PHP calls shell commands.
Remember that it's very risky to allow the web server to run commands as root!
Probably a better alternative:
Write a shell script with the suid bit to make it run as root no matter who calls it.
shell_exec
This function is disabled when PHP is running in safe mode.
Documentation : http://php.net/manual/en/function.shell-exec.php
So, maybe try tweaking your php.ini file?
Write the commands to a queue and have cron pick them up, validate them (only allow known good requests), and run them, then mark that queue complete with the date and result.
Your end-user can then click/wait for update using ajax.
I work at a small computer shop, and we have to analyze windows minidumps all the time. My idea was to install the Windows Debugging Tools on a windows PC and use apache/PHP as an interface to it. That way I could just set up an HTML upload form that would accept the minidump file, run it through KD, then spit out the output.
It nearly works. I created a special user just for apache so I could assign it write privaleges to C:\symbols, and I use the following code:
<?php
$kdScript = "\"\\Program Files\\Debugging Tools for Windows (x86)\\kd.exe\" -c \"!analyze -v;Q\" -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -z ";
$kdScript .= $_FILES["myFile"]["tmp_name"];
$output = `$kdScript`;
print("<pre>$output</pre>");
?>
The problem I'm having is that the symbols are not downloaded as they should be. I've verified apache is running as the user I think it is by calling "whoami" from inside backticks. I've verified that I can run the windows version of wget from within backticks, so I have access to the network. I can file_put_contents() into a new file under C:\symbols, so I have file creation permissions.
Also, I tried having PHP simply output the command to the browser so I could copy and paste it into a terminal. I was able to run a command prompt as my apache user via "runas", paste the command from PHP's output into the prompt, and it worked as expected, downloading all the symbols it needed to C:\symbols. Of course, I had to point it to a dump file NOT in the PHP temp directory, but this shouldn't make a difference.
What could be the problem? Just as a side note, all of this is local on a trusted pc in a company that has a total of 3 employees/owners. Security for this project is irrelavent.
Not sure what your exact problem is, but the symbol server client code is finicky and not very debuggable, it took us lots of tinkering to implement our version of this. You can always direct folks there or use it yourself:
http://www.osronline.com/page.cfm?name=analyze
-scott