We Keep Coding

Running Shell commands and scripts from PHP - is there a correct and secure way?

I developed and operate a bespoke E-Commerce platform for a variety of customers. I want to automate some of the setup tasks, such as creating apache site config files, and installing SSL Certificates.
I have written some batch files which do both of those nicely, and I want to execute them as part of the PHP Site creation process.
I have been able to run one of these scripts using the shell_exec command in PHP, but I am confused about the permissions and concerned about security. This is all hosted on Centos Linux, and Apache web server by the way.
My batch script (create_site_config.sh) effectively generates an Apache config file for a given site and copies it to /etc/httpd/conf.d/ as 'domain.com.conf'.
The problem is, is that PHP generates this file under the ownership of apache:apache, whereas all the rest of the files in this folder are owned by root:root.
In my batch script if I use SUDO before my commands, nothing happens. Whereas if I omit SUDO, the scripts runs and creates the file for me, but under the wrong ownership. I am not able to change the ownership either.
So my PHP is something like this:
shell_exec('./create_site_config.sh);
And my batch file is something like this:
DOMAIN=$1
SYSNAME=$2
if [ -z "$1" ]
then
echo "You must pass a fully qualified domain as the first argument, ie. acme.dev.domain.com"
exit 1
fi
if [ -z "$2" ]
then
echo "You must pass a sysname as the second argument, ie acme"
exit 1
fi
#THESE COMMANDS CLEARLY RUN AS APACHE:APACHE. IF I PUT
#SUDO IN FRONT OF THEM, THEY DON't WORK AT ALL - WHAT GIVES?
rm -f ${DOMAIN}.conf
touch ${DOMAIN}.conf
chmod 777 ${DOMAIN}.conf
#START OF FILE CONTENT
cat >> ${DOMAIN}.conf <<EOL
<VirtualHost *:443>
DocumentRoot /var/www/html/siteroot
ServerName ${DOMAIN}
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Directory "/var/www/html/portals.dev">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
SSLCertificateFile /home/centos/.ssh/live_keys/${SYSNAME}_cert.pem
SSLCertificateKeyFile /home/centos/.ssh/live_keys/${SYSNAME}_key.pem
SSLCertificateChainFile /home/centos/.ssh/live_keys/${SYSNAME}_fullchain.pem
</VirtualHost>
<VirtualHost *:80>
ServerName ${DOMAIN}
Redirect 301 / https://${DOMAIN}
</VirtualHost>
EOL
#END OF FILE CONTENT
#CLEAN UP
cp ${DOMAIN}.conf /etc/httpd/conf.d/sites/${DOMAIN}.conf
#THIS COMMAND BELOW DOESN'T WORK...
sudo chmod 644 /etc/httpd/conf.d/sites/${DOMAIN}.conf
#NEITHER DOES THIS ONE...
chown root:root /etc/httpd/conf.d/sites/${DOMAIN}.conf
rm -f ${DOMAIN}.conf
sudo systemctl reload httpd.service
echo "success"
What is the correct way to do this in a away that will ensure that the files are created and that I can set the permissons of them.
Despite the above working I sense that it is not secure to do things this way. I don't understand why SUDO doesn't work in the batch script?
Clearly systems like Plesk and Cpanel are able to generate all kinds of system files and folders - what sort of techniques do they use?
I'd be grateful for any pointers.
Regards
James

Apache Server development environment

I´m trying to explain he problem I have.
I usually use XAMPP or MAMP for this but I want to use the Apache Server that comes with OS X High Sierra by default installed.
So, OS X has apache server and php installed for default and they work great without a problem, and the localhost works fine with many other projects I have like angular and php.
My issue is this...
I tried to install a dev environment on my computer for php-laravel projects so after I installed laravel with homebrew and do some changes in the files:
/private/etc/apache2/extra/httpd-vhosts.conf
/private/etc/apache2/httpd.conf
/etc/hosts
httpd-vhosts.conf
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot "~/Sites"
#VirtualDocumentRoot "~/Sites"
ServerName localhost
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "~/Sites/cms/public"
ServerName cms.test
ServerAlias *.test
</VirtualHosts>
httpd.conf
ServerRoot "/usr"
<IfDefine SERVER_APP_HAS_DEFAULT_PORTS>
Listen 8080
</IfDefine>
<IfDefine !SERVER_APP_HAS_DEFAULT_PORTS>
Listen 80
</IfDefine>
User myusername
ServerName localhost:80
DocumentRoot "/Users/myusername/Sites"
<Directory "/Users/myusername/Sites">
Options All
MultiviewsMatch Any
AllowOverride All
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
# Virtual hosts
Include /private/etc/apache2/extra/httpd-vhosts.conf
hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 cms.test
After this I restarted the server and when I tried to go to:
localhost
I just wrote on chrome browser localhost
If I tried localhost/info.php
localhost/info.php
As you can see inside the Sites folder there are an info.php file
folder Sites is where ServerDirectory is and as you can see there are an info.php file
when I tried localhost/cms/public/index.php
the result is the same
I execute $ whereis httpd and the result is /usr/sbin/httpd
then I executed $ /usr/sbin/httpd -V and the result is
Server version: Apache/2.4.28 (Unix)
Server built: Oct 9 2017 19:54:20
Server's Module Magic Number: 20120211:68
Server loaded: APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_FLOCK_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr"
-D SUEXEC_BIN="/usr/bin/suexec"
-D DEFAULT_PIDLOG="/private/var/run/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/private/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/private/etc/apache2/httpd.conf"
I also executed the command apachectl -S
and the result is
VirtualHost configuration:
ServerRoot: "/usr/local/opt/httpd"
Main DocumentRoot: "/usr/local/var/www"
Main ErrorLog: "/usr/local/var/log/httpd/error_log"
Mutex rewrite-map: using_defaults
Mutex default: dir="/usr/local/var/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/usr/local/var/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70
Group: name="_www" id=70
I can see two different configurations and I do not know what I can do to fix this.
So that is why I am asking for help, I really don´t know what else I can do to fix this.

1) It looks like you have apache installed in multiple locations. Check to make sure. Do:
find /usr -name apachectl
If you get more than one result, then it is likely you have installed one version from Homebrew (which will install apachectl in /usr/local/bin, and set the PidFile directive for it's configuration file to /usr/local/var/run/httpd/httpd.pid) and, have another version that comes with Sierra, which will install in /usr/sbin, your system binary folder (and in my experience with this problem, set the PidFile to run in /etc/var/run/).
"Whereis" does not return the apachectl which has precedence (ie, which one you are calling when you execute the command). A better command is:
which apachectl
Which will reveal which apachectl you are currently using when you type in apachectl.
If it turns out you have multiple installations, you will need to set precedence for the version of apachectl you want in your ~/.bash_profile.
The reason why you are seeing two different configurations is because you are checking one's configuration with /usr/sbin/httpd - the apache that comes native with Sierra, and checking the other's configuration files with apachectl -S, which is likely calling the httpd installed by Homebrew.
2) Preventing access to a directory can be a problem that results from not having the correct permissions on the files themselves. Often you will need to
chown -R user:group dir_name
the the directory, where user and group are what the user is listed as in your configuration file. On my machine, this is _www for both in the configuration file.

Xubuntu Linux - Why doesn't my localhost direct me to my virtual host site?

I am setting up a virtual host on my linux machine, I followed all the steps and guides, but I do not go to my site for some reason. I have LAMP installed and apache, mysql, php is all working. I have a database setup on phpmyadmin and imported a database, but for some reason I cannot get my IP directed to my site! Its literally the last step I need so I can start working on my project.
127.0.0.1 localhost
127.0.0.1 cbirc.com
<VirtualHost *:80>
ServerAdmin admin#cbirc.com
ServerName cbirc.com
ServerAlias www.cbirc.com
DocumentRoot /var/www/cbirc
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
What am I missing here???

You have to check bunch of stuff:
Is apache running
sudo service apache2 status
Afterwards, test it with
netstat -na | grep 80
ping cbirc.com
Was website enabled by issuing following command?
sudo a2ensite cbirc
file /etc/apache2/sites-enabled/cbirc.conf (or some similar name it that folder)
Does www-data group and user (apache) has read-execute access on web content folder
ln -l /var/www/cbirc
If not, change it like this
sudo chown -R www-data:www-data /var/www/cbirc
sudo chmod -R ug+rx /var/www/cbirc
Before issuing request in browser (to eliminate browser cache or security issues), do it with curl or wget
wget http://cbirc.com/
curl -v http://cbirc.com/
And look for errors in logifile
tail -f /var/log/apache2/error.log
Please refer to my debian cheetsheat for further help

Firstly, run 'dig' or 'host' on cbirc.com
Although it is in your /etc/hosts , resolv.conf may prioritise nameservers above your hosts file.
If it is pointing to your localhost, then check the you have enabled the site - a2ensite [name of vhost conf file without the .conf extention] - check by looking in /etc/apache2/sites-enabled for a symbolic link to the sites-available directory.

how to create a virtual host in ubuntu 14.04

I'm using ubuntu 14.04 operating system and I want to create a virtual host before starting my php project. If any one can give me the terminal commands I would be grateful.
I have already installed necessary installations and I'm using Symfony php framework.

Open a terminal or a console and write the following commands
Go to your sites-available apache2 folder with:
cd /etc/apache2/sites-available/
Copy your 000-default.conf to another file (with the name of your site or vhost Preferably)
sudo cp 000-default.conf example.conf
Open that new file (example.conf) with your best text editor or use:
sudo nano example.conf
Change the example.conf's content with (Ignore the comments):
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerAdmin webmaster#mail.com
ServerName example.com
ServerAlias www.example.com
# example.com is the folder where you have to put your site's code.
# Obviously, its name can be whatever you want
DocumentRoot /var/www/html/example.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
# Include conf-available/serve-cgi-bin.conf
</VirtualHost>
Enable the site as follows:
sudo a2ensite example.com
Restart your apache2 web server
sudo /etc/init.d/apache2 restart
Edit your /etc/host file with:
sudo nano /etc/hosts
Add at the end of the file, the domain example.com and www.example.com. It must look like:
127.0.0.1 localhost
...
# you can replace with your IP
127.0.0.1 example.com
127.0.0.1 www.example.com
...
Open your best web browser and write in its address bar: www.example.com or example.com

Create virtual host
sudo nano /etc/hosts
Enter Password=>
create ip and domain Name=>
127.0.0.1 testsite.lk
create project folder=>
Go to that directory comand prompt=>
sudo chmod -R 777 testsite.lk
to asign project to group=>
:~/mayura$
> sudo chown -R www-data:www-data testsite.lk/
give permission=>
:~/mayura$
sudo chmod -R 777 testsite.lk/
give document root file for vertual host
:~/mayura$
cd /etc/apache2/sites-available/
sudo nano testsite.lk.conf
<VirtualHost *:80>
DocumentRoot /home/mayura/project/testsite/web
DirectoryIndex index.php
ServerName testsite
<Directory "/home/mayura/project/testsite/web">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
</VirtualHost>
Create New project on Netbeans in that folder=>
index.php
Enable the site=>
cd /etc/apache2/sites-available
sudo a2ensite testsite.lk.conf
Apache reload=>
sudo /etc/init.d/apache2 reload
Start Browser=>
Run=>
xdg-open http://testsite.lk

Xampp - Ubuntu - cant access my project in lampp/htdocs

I have installed xampp to Ubuntu 12.04. I have put my project in the folder /opt/lampp/htdocs/project_is_here
When I type in the browser localhost/soap/php (soap/php is in my htdocs folder) which is where index.php I get the following error:
Access forbidden!
You don't have permission to access the requested directory. There is either no index document or the directory is read-protected.
If you think this is a server error, please contact the webmaster.
Error 403
localhost
Apache/2.4.3 (Unix) OpenSSL/1.0.1c PHP/5.4.7
Any ideas how to fix this? I think this is the right location to put the project, because I tried other places and it said location didnt exist and this error goes away here and I get this.
Any ideas?

In the linux terminal navigate to your lampp directory.
cd /opt/lampp
In the command line type:
sudo chmod 777 -R htdocs
The problem should be solved.
What you just did was:
Navigate to the directory containing the protected directory. Your problem was that it was a folder that was access protected by your system. When you commanded chmod 777 -R htdocs, you set the permissions for every user on your computer to "read/write/execute - allowed".
Each number from 0-7 sets a permission level. Here's a link explaining that in more detail.
http://www.pageresource.com/cgirec/chmod.htm
The '-R' makes the command recursive and will affect htdocs as well as all subdirectories of htdocs and all subdirectories of those etc.

i've experinced the same problem and this is my solution :
1.in the terminal
cd /opt/lampp/etc/
if you have sublime text installed simply just type :
subl httpd.conf
3.when the configuration file opened in sublime you have to check if these three blocks are as follow :
<Directory />
AllowOverride All
Require all granted
</Directory>
================================
<Directory "/opt/lampp/htdocs">
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All
Require all granted
</Directory>
================================
User your username
Group your group name
for example :
my username is mhmd also my group name is mhmd
User mhmd
Group mhmd
and i hope it will help you ..

One possible reason is that you are using Virtual host.
In that case, use this command in your terminal
sudo nano /opt/lampp/etc/extra/httpd-vhosts.conf
Then add this block of code at the end of the file
<VirtualHost *:80>
DocumentRoot "/opt/lampp/htdocs"
ServerName localhost
ServerAlias localhost
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
</VirtualHost>
Finally restart XAMPP
sudo /opt/lampp/lampp restart

I had given all the permission , still got the error message.
Go to -> /etc/apache2/sites-available/000-default.conf
set : DocumentRoot to /opt/lampp/htdocs
All solved for me.
Change the "DocumentRoot" to whichever folder your project is.

it'll useful,
0 -> No permission
1 -> Execute
2 -> Write
3 -> write and execute(2 +1)
4 -> Read
5 -> Read and execute
6 -> Read and write
7 -> read,write and execute
Then What about three decimal
1st-digit Owner
2nd- digit Group
3rd- digit Others
test#test:~$ sudo chown -R test:test /var/www/html/folder
test#test:~$ sudo chmod -R 666 /var/www/html/folder //-system user
test#test:~$ sudo chmod -R 777 /var/www/html/folder // -browser with full
What is this 777 ? --> 7: you, 7: us, 7: them.