I have 6 scripts that I execute with PHP, unfortunately, I have to execute it as my default user.
I tried to execute it with PHP only but it doesn't work.
Do you know how to do this without a big security breach ?
Thank you :)
You can use php as a command line utility by typing php /path/to/script.php
The PHP script will be excecuted by the user you are logged in to.
You can use sudo to run a program as a different user.
Here is an example. I am root from the beginning (which you can see since id tells it) and execute the program id as the user hashier.
$
$ id
uid=0(root)
$ sudo -u hashier id
uid=501(hashier)
$
Related
So, guys, I have the following code:
<?php
$url = "http://example.com/filetorun.php";
$time = date('g:i A d.m.Y', $res['sometime']);
echo `echo "wget --spider {$url}" | at -M {$time}`;
?>
The main idea is to wget some url at the specific time to perform some useful operations for me.
What happens in the terminal?
When I run this bash code. It works well giving me the output like this:
warning: commands will be executed using /bin/sh
job 59 at Mon Jan 13 17:12:00 2020
What happens in /var/log/apache2/error.log when I run my php script?
It gets this output.
What's about atq?
I can see the job there only when I create it via the Terminal. When I create It from the php-script, I can not do that.
What have I tried to do?
I added users to /etc/at.allow and deleted them from /etc/at.deny
Not a lot of detail to go on, but I direct your attention to this requirement of at:
The value of the SHELL environment variable at the time of at invocation will determine which shell is used to execute the at job commands. If SHELL is unset when at is invoked, the user's login shell will be used; otherwise, if SHELL is set when at is invoked, it must contain the path of a shell interpreter executable that will be used to run the commands at the specified time.
Does your web server user have a login shell defined? getent passwd or grep /etc/passwd to determine. Regardless, I suggest setting the shell to use in the command itself, to prevent issues where someone chnahes the default shell of the invoking user.
If this is not the issue, we probably need more detail.
I'm developing a code which uses ldap_search Shell Script Command for extracting user information from Active Directory using user id and by proper LDAP Server Authentication. I am getting accurate result from ldap_search script.
But, whenever I put the shell script inside exec or shell_exec PHP command, I'm not getting anything.
All the other shell scripts are working fine with the help of PHP exec command except ldap_search.
Is there some additional task left for me to do?
Is ldap_search and exec/shell_exec not compatible with each other?
You must use echo exec('your command or script');
Make sure to have permissions to run it. I mean, the web user must have permissions to execute that.
May seem obvious, but I think your failure is in something basic like this. You must put echo to show the result of the command.
EDIT After reading your new comments about it and using that new info... I saw you are trying to redirect the output to a file... but maybe you have 2 different problems.
Have the user which is executing php (usually www-data) permission to write on the folder where the php is?
Your code has quotes inside quotes that must be escaped using . Try this:
<?php exec("ldapsearch -x -v -h 'LDAP://server' -p '389' -D 'uid=\"domain_user_id\",ou=users,ou=internal,o=\"organization\"' -w 'domain_password' -b 'ou=users,ou=internal,o=organization' 'uid=person's_user_id' >> result.txt"); ?>
So you don't need echo if you want the output in a file. And the redirection >> can be inside the command executed, not in php.
Remember that > replaces de file and what you have >> add at the end of the file.
TL;DR:
I have a PHP page which executes a shell script containing impdp which imports dump to a new schema.
PHP file:
echo shell_exec("./DumpCreator.sh 22");
DumpCreator.sh
#!/bin/bash
echo $1
impdp U_$1/Pass DIRECTORY=dmpdir DUMPFILE=MYDMP.DMP remap_schema=PARENT:U_$1
It echos 22 but impdp doesn't execute although all permissions are given to a single user (admin).
Full
I have a PHP page which creates a shell script file and overwrites its contents as the following:
$shellFile = fopen("myfile.sh" , "w");
$field = "1";
$command = "#!/bin/bash\n"
."echo $field\n"
."sqlplus system/pass as sysdba << SQLEND\n"
."create user U_$field identified by newpass;\n"
."grant dba to U_$field;\n"
."exit;\n"
."SQLEND\n";
fwrite($shellFile, $command);
$output = shell_exec("bash myfile.sh");
echo $output;
fclose($shellFile);
contents of .sh file
#!/bin/bash
echo 1
sqlplus system/pass sysdba << SQLEND
create user U_1 identified by pass;
grant dba to U_1;
exit;
SQLEND
My problem is the part of sqlplus isn't executing.
so what is wrong with this, thanks in advance.
UPDATE
When I execute .sh file itself everything executes well (user is added and granted).
UPDATE 2
I tried doing mentioned above using php oci and it ran successfully.
Now the problem is with when user is granted permission I need to copy some dump to it using a script which I will be needing to execute using PHP.
My new .sh file
#!/bin/bash
echo $1
impdp U_$1/pass DIRECTORY=DATA_PUMP_DIR DUMPFILE=something.DMP remap_schema=something:U_$1
Even if I removed $1, it doesn't execute this part and I think it doesn't require sudo or to su to root, so what am I doing wrong ? also what permissions that could be missing in the process ?
Update 3
Executing the script directly from terminal using 'admin' account which is the one Oracle is installed on, also getting the current user in PHP shows that it's 'admin'.
So the problem is with How Can I execute any non-os related commands (anything but echo, ls .. etc) from my PHP page ?
So after searching about permissions, I found that it's possible to execute anything (root or non-root commands) by editing sudoers file which will allow any php to execute any command and that's as far as I can tell is a very poor solution.
Ref : How to call shell script from php that requires SUDO?
Make sure you have the required environment variables set.
In particular you'll probably have to set LD_LIBRARY_PATH to the location of the shared libraries that come with your Oracle installation.
The PHP code is probably hiding the error messages related with this.
Compare your environment where you normally run SQL*Plus or IMP before and after running oraenv, you will need to set at least a few of those (and probably most if not all).
I need your help here.
I wrote one PERL script for PHP application which needs to be run for every 5 mins.
This script will call PHP program, which will fetch data from MySQL DB and will generate a excel report and will mail those reports to specific users.
Every thing seems to be fine when I ran this script manually with the command (perl reports.pl).
But when I set this Perl in a cron tab, nothing works and reports are not getting generated.
Details: perl script path /opt/app/deweb/web/EDI/Microsoft/reports.pl
this script will call PHP program (/opt/app/deweb/web/EDI/Microsoft/reports.php)
content of script
#!/usr/local/bin/perl
use Net::FTP;
use File::Copy;
use POSIX;
#errorreport = `php /opt/app/deweb/web/EDI/Microsoft/reports.php`;
print "#errorreport\n";
exit;
It is working perfectly when running Manually using command - perl reports.pl
No results, when set in CRON:
*/5 7-19 * * * /usr/local/bin/perl /opt/app/deweb/web/EDI/Microsoft/reports.pl
Please note that this crontab is under super user account named webserv and my login is having access to edit under this super user account.
I'm editing this cron tab using command :: sudo -u webserv crontab -e
I would check the following:
Does it run using sudo -u webserv perl reports.pl? If not, fix the problem for the webserv user (permissions or whatever) and it should work via cron too.
Does which perl using your login give you /usr/local/bin/perl? If not, change the path to Perl in crontab to what you got in which perl to fix the problem.
I found myself to be in the same situtation. After trying to find out the reason, I am almost sure about the reason this happens. Crontab does not have the same environment variables as you when running the script. You must be sure about paths. Try for example run your script like /perl-path /path-to-perl-script/script.pl outside the parent directory of the script and I am almost sure that your programm will not find some files. And as you call one php script from the perl script, it's possible to have the same problem with paths to your php script too.
So the solution is to use absolute paths and no relative.
Also at your perl script don't use php but /full-path-to-php for example:
#errorreport = /usr/bin/php /opt/app/deweb/web/EDI/Microsoft/reports.php;
I would like to execute a cronjob for a routine task every X hours. The cronjob basically executes a shell script which in turn uses a WGET command to download files from a remote server. However, before I run this shell script I want the cronjob to execute a php script which will check whether the update's available (there's no point in wasting BW and downloading the same file over and over again) and if it is, it should pass on the update URL to the shell script which in turn uses the WGET command.
The cronjobs are set from the hosts Admin Panel. There is no other way around it. Being a shared hosting service, I am not allowed access to other functions on PHP which might do the task for me either.
Is this possible? I am Linux illiterate. I have installed a few RPM's on Fedora but that's about it. Please bear with me. Thanks!
Just pass --timestamping to your wget command.
Alternatively if you are more familiar with PHP's ways you can check this question for a usable method.
Use a curl HEAD request to get the file's headers and parse out the Last-Modified: header.
To use a php script as a regular command line executable use this as a starting point:
#!/bin/env php
<?php
echo "Hello World\n";
Save the file without the .php and tuck it somewhere that your server won't serve it.
Next, set the executable bit so that you can execute the script like a regular program
(u+x in the following command means grant the [u]ser e[x]ecute privileges for helloworld, and chmod is the command that unix variants use to set file permissions)
Omit the $ in the following sequence, as it represents the command prompt
$ chmod u+x helloworld
now you can execute your commandline script by calling it in the bash prompt:
$ ls
helloworld
$ ./helloworld
Hello World
$
From here you can get the full path of the executable script:
$ readlink -f helloworld
/home/SPI/helloworld
And now you can install the cronjob using the path to your executable script.