I'm trying to set up my POST hook to automatically update the git repo on the server on each push. This works all fine and when I am user apache on the command line and execute the script, it works all fine - the permissions are set, the ssh keys work and it runs the pull.
But when I try and run the same script via the browser, I get a permission denied error - here the output from the php script in the browser:
$ echo $PWD
/var/www/vhosts/dev-build
$ whoami
apache
$ ssh -T git#bitbucket.org 2>&1
Permission denied (publickey).
I am the same user 'apache' as on the command line, and there it is all fine - what am I missing?
Obviously the moment you write it all down it becomes clear, but I'll answer here anyway, just in case someone has the same issue:
I did generate the ssh-keys with a passphrase and then stored this passphrase for the current ssh session. However when I logged out and then in again, I realised it asked me for the passphrase again - I though it would save it automatically when I enter it once.
So the php script run from the browser in it's own session, didn't have the passphrase and threw an error.
I regenerated the ssh-keys with an empty passphrase, and voila - all works as expected.
Related
Can't solve the problem.
Briefly: I need to execute command on remote server via ssh.
I have two PCs from where I do that job. Ubuntu server - no problem. But from FreeBSD - problem.
Target server is under Freebsd too.
Access is via ssh keys, user - root. In my client Freebsd I can do ssh root#x.x.x.x without any password, so we make conclusion that this part is ok. Next. I run php artisan tinker (for those who don't know what is this - this is terminal for executing php code). There I do:
exec("ssh root#x.x.x.x whoami");
And I get 'root'. Work is correct. But I do the same via
dd(exec("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -v root#x.x.x.x 2>&1"));
and I get:
"Permission denied (publickey,keyboard-interactive)."
For that command:
dd(exec("ssh -v root#91.222.216.24 whoami 2>&1"));
I get:
"Host key verification failed."
As I understand the only way is to use password, but why key auth fails?
How to fix that?
I've tried many options (read many articles on stackoverflow) and in some combination of code I've found that it looks like when command executed via exec another user (www) is used, not root. And I got errors like:
Could not create directory '/nonexistent/.ssh'.
As I understand the problem connected to user and its permissions. And it looks like there is no any user at all when sshing via exec.
Upd.
Right in terminal on client PC
php -r "echo(exec('whoami'));"
gives. 'root'.
But the same inside of controller in Laravel while using php exec
dd(exec('whoami'));
gives 'www'.
For some reasons in php (exec command) different user is used.
And yes, in Ubuntu, where I have no problems, I get the same user in both cases (I've checked just now), that's why everything is working there. So,.. the question is How to create ssh keys for another user, which is 'www' or should I change somehow user for php?
I am trying to rsync file from local to remote server.
When i do this on console it works:
rsync -avzhe ssh /var/www/folder1/file5
root#192.168.56.74:/var/www/folder2
but when i do this on my php and run the php script, it doesn't work:
$rysncCommand = "rsync -avzhe ssh /var/www/folder1/file5 root#192.168.56.74:/var/www/folder2";
shell_exec($rysncCommand);
There is no error shown, so i can't really tell what is the error. Is there something wrong with my php script?
First, you need to check if you need to be a root or (sudo user) for running rsync.
If yes then exec() command will only work if it is run by same user on php-cli (not on browser by Apache user). i.e. Which user you are loggined into shell for run rsync.
If it is root or any elavated permission user with sudo permission then, This rsync command may not be available to apache/www-data user which is working when php script run from browser.
So You try to make a normal user and login through it, Then try rsync if you are successful then it may be interesting to see what are other problems can be, But if you getting access/permission denied then obviously you can not run this script at-least on browser.
Besides this One more thing permission may not be directly related to rsync command itself but with folder /etc/test/ which is owned by root user in normal scenario.
For more details you can check this Stack Overflow Link .
I am trying to execute a shell command from php command line in following way
php -r '$test = exec("aws s3 cp s3://test/my-container/testing.txt /var/www/files-test"); echo $test;'
this works and as result files get downloaded from s3 to mentioned destination /var/www/files-test
But when I execute same command from web app it does not work. Code is
$test = exec("aws s3 cp s3://test/my-container/testing.txt /var/www/files-test");
print_r($test);
it does not work and as output I got
Completed 1 part(s) with ... file(s) remaining
I have ensured apache user has required privileges. What can be missing here?
I got this resolved, web-server I am using was nginix and web app some how was running on apache user, I gave permissions for nginix user but not for apache user!
so fix was to get back the app to run on nginix user.
I'm trying to make a hook on bitbucket, that executes a php file, and this file executes the pull command:
shell_exec('/usr/local/cpanel/3rdparty/bin/git pull');
The pull command works fine on the SSH console, but the PHP returns the error:
Permission denied (publickey). fatal: Could not read from remote
repository.
Please make sure you have the correct access rights and the repository
exists.
The command --version shows the path to git is right, whoiami returns the same user on both, so I don't know if it is a permission issue.
What can be going wrong?
Edit: An additional issue: the alias I added for git don't work on PHP, only the full path as above. Via terminal it works just fine. Maybe it's the same reason why the key don't work in php.
Edit 2: $PATH is different on both.
When you run this command within a PHP script you are not running the command as yourself:
shell_exec('/usr/local/cpanel/3rdparty/bin/git pull');
The reason it works from the terminal console is you run the command as yourself from the console. But on a web server, you are not the user running the command. Remember: When you run PHP on a web server, it is a an Apache module. Meaning the web server user—which could be www-data, root or even apache on some systems—is running the PHP script which then runs the shell_exec command.
So it would never work as you have it setup. Perhaps you can kludge something together that would allow a key-pair to be used by the web server for these purposes, but that seems like a security risk waiting to happen.
I want to do SVN update easier - with calling PHP script.
I created PHP script:
$cmd = "svn update https://___/svn/website /var/www/html/website/ 2>&1";
exec($cmd, $out);
As the user running the script is apache (not root), I get some permission errors.
If I change the owner of every directory to apache (or chrown everything to 777) I have another problem. Because I use https protocol user apache should permanently accept certificate of the svn server. I tried to do "su - apache" and accept certificate but OS says that "apache" is not valid user. I also dont know how could I accept certificate with exec() function.
Any idea? How can I make svn update-ing easier?
Is the error telling you that the user isn't a valid svn user? If apache is the user running httpd, you should be able to su to it. This is the script I use:
/usr/bin/svn --config-dir=/home/user/.subversion --username=svnuser --password=svnpass update
once the password is saved you can remove it from the command. Again, make sure the user/pass above is a valid SVN user.
Lately I've actually migrated to using Hudson for svn updates as you can schedule it as well as run manually and do a bunch of other tasks, plus you can view the svn logs for each commit as well as any console errors.
Why not use php svn functions instead of (insecure) exec?
http://www.php.net/manual/en/function.svn-auth-set-parameter.php has good examples for authentification options.
Use getent apache on the shell. This will return the shell of apache. Most likely, it is /bin/nologin or /bin/false. Change this to /bin/bash. You'll also need to specify the home directory and create it on the file system.
UPDATE: getent apache will actually return the entry in the /etc/passwd file for the apache user. The last token in this string is the shell.