I have a working shell script using killall to kill all instances of a program like below:
killall abc
Now, I write a php webpage to execute this script using shell_exec function:
shell_exec('sh ./myscript.sh');
Problem is that my php code works correct on commandline with "php myscript.php", but not works in browsers!. However, I know that the user in commandline is "root" and in php is "apache" (I get this with 'whoami').
The linux distribution is Centos 6 which uses SElinux. I changed the status of selinux to permissive.
Things I've checked:
PHP safe_mode is off
shell_exec() is not present in disable_functions in php.ini
Is there a way to run scripts with kill command using php?
Thank you for your help.
you either have to run apache as root (insecure) or, which would be much safer, you have to run the commands you try to kill as 'apache', or you configure your sudoers file to grant apache rights to killall command:
# vim /etc/sudoers
apache localhost=(ALL) NOPASSWD:/usr/bin/killall
and then change the myscript.sh to do sudo killall abc
Related
My php code runs a shell file, which opens a tmux session and runs a node.js bot. And when I write this code as php phpfile.php from the terminal, it works, but when I enter phpfile.php from the browser, it does not work. As far as I understand, the problem is with the permissions of the apache user, but it does not work even though I have given him all kinds of permissions. When I try the command sudo -u apache tmux new -s node I get the result [exited]
php code:
<?php shell_exec('bash ./tmux.sh'); ?>
shell code:
tmux new -s node
tmux send-keys -t node.0 "node ./js/bot.js" ENTER
Note: i added apache user to visudo like apache ALL=(ALL:ALL) NOPASSWD: ALL
Note 2: i run this in aws ec2 server using aws linux
if you are using an operating system that uses the security layer SELinux. Please try to turn it off or try writing a rule to it.
I always turn it off.
nano /etc/selinux/config
SELINUX=disabled
I am unable to run a bash script using sudo with the shell_exec() function in PHP. I get an error saying:
Sorry, user apache is not allowed to execute '/bin/bash /var/www/html/private/createFTP.sh' as root on test.server.com.
PHP:
shell_exec('sudo bash /var/www/html/private/createFTP.sh 2>&1');
Visudo:
apache ALL=NOPASSWD: /var/www/html/private/createFTP.sh
If your web server is in chroot jail then that will cause this type of error. If you are running a chrooted server, make sure you mirror across your /etc/sudoers file to the jail filesystem too and adjust for the chroot directory structure when setting up sudoers file as well as your script will have moved once you are in chroot. Also check you have the sudo libraries and executable in the jail filesystem as well.
I'm trying to get nightmarejs to work on my centos server and was able to do so by running xvfb-run however I need to call this command via a php exec() function.
when I do I'm just getting an empty result as though it doesn't work?
When I run it via command line (i.e. xvfb-run node my-script.js) everything works great. Any idea why it doesn't seem to work or be available to my php script?
Although Cono's answer does work, it is less secure as it gives YOUR_USER access to wheel, making YOUR_USER an administrator.
Instead, create a file in /etc/sudoers.d (RHEL/CentOS) with contents like: (presuming YOUR_USER is apache)
# Allow apache to run xvfb-run
Defaults:apache !requiretty
Defaults:apache visiblepw
apache ALL = NOPASSWD: /usr/bin/xvfb-run
This way, if the apache user is compromised they can only run the xvfb-run command.
(Answer thanks to ThirdNode)
Ok i figured it out. Basically, sudo access has to be granted for xvfb-run in order to call it via an executable script in php. To do so, log into terminal and do the following:
# sudo visudo
Make sure the wheel group is uncommented
%wheel ALL=(ALL) ALL
This means that users added to the wheel group will have access to call sudo commands
At the bottom of the file, grant your user access to the script
YOUR_USER ALL = NOPASSWD: /usr/bin/xvfb-run
Save your file and add your user to the wheel group
usermod -aG wheel YOUR_USER
finally, from your php script you can now call xvfb-run via sudo
<?php exec('sudo xvfb-run node my-script.js'); ?>
I am running CentOS 6, as httpd is executed as user 'apache'. For security reasons, I want to use sudo to be executed via exec as user 'aq':
<?php exec("/usr/bin/sudo -u aq somescript.sh",$output,$return_val);?>
With visudo I have added the following line:
apache ALL = (aq) NOPASSWD: ALL
Furthermore I temporary gave apache as login shell (/bin/bash), to be able to test
/usr/bin/sudo -u aq somescript.sh
directly which worked.
php exec fails as $return_val delivers a '1' if sudo is invoked.
Comment out this line from /etc/sudoers
Defaults requiretty
I'v tested your case in few ways ant this one gives me success.
I need to execute a bash file from a php page, with exec() function. The problem is that in this bash file, there's the command "adduser" ... Witch is a sudo command. I had the idea of modifying the sudoers so the user that run the script would have access to it, but who is this user ? I know apache2 is executated with www-data user...
Thanks!
You can find out which user PHP is running as by using system to run the command 'whoami' and display the output.
system('whoami');
That seems like a rather bad plan, giving the www-user sudo access. But yes, its www-data (by default, depending on linux flavor) that apache runs under.