I have a C program that makes a system call (centOS 6.0) to encrypt a file, my code is:
#include <stdlib.h>
int main () {
system ("gpg -c --batch --passphrase mypass file.txt");
return 0;
}
The executable object is called encrypt_file
When I run ./encrypt_file directly through CLI it runs perfectly I obtain my file.txt.gpg, but when I try to execute it via browser I get no response.
Code in php:
shell_exec("./encrypt_file");
The reason I chose to make a c program is that I need the passphrase to be in the code but not visible, when I delete the .c file that contains the passphrase all I have left is my .exe and no visible passphrase.
I already changed permissions to apache user by issuing the following:
chown apache.apache /var/www/html/
And added the next line in /etc/sudoers:
apache ALL=(ALL) NOPASSWD:ALL
NOTE: The only command I have issues is gpg, I can make a system call with any other command that I needed to use, I can even run python scripts, and other C programs that doesn't contain anything related to gpg.
I hope a fast reply! I need to use a lot this encrypt_file!
Checking the error_log in /var/log/httpd/error_log I saw this line:
gpg: Fatal: can't create directory `/var/www/.gnupg': Permission denied
Then I found a solution at this site -> http://gnupg.10057.n7.nabble.com/Exi...pt-td7342.html
I added the --homedir option with the PATH that I found in the error.log of apache to the gpg command and it works perfectly!
Thanks to all!
Related
I have a php file which is called by a website:
example: serial_tx.php?v=W100
Within the php I write a log file where I can see which string v I received (W100 in this case).
The webserver is hosted on a Raspberry Pi and should send this data to the uart.
The files locations:
/SCRIPTS/serial_tx.php
/SCRIPTS/c/jmsend/serial_tx // the executable, compiled from a C script
If I am in the root of the webserver and, from the console of my Pi, I run
sudo /var/www/html/SCRIPTS/c/jmsend/serial_tx W100
I get the command sent correctly.
With the php file I tried with system, shell_exec and exec without success.
shell_exec("sudo /var/www/html/SCRIPTS/c/jmsend/serial_tx ".$ric);
$ric is the received command.
I tried with different path settings too (starting from Pi root or webserver root).
All the files have a 777 as permissions.
Something like this in /etc/sudoers should work to allow your web server user to run that particular command without issue:
Cmnd_Alias SERIAL = /var/www/html/SCRIPTS/c/jmsend/serial_tx *
www-data ALL=(ALL) NOPASSWD: SERIAL
Note that you must escape user input before using it:
$ric = escapeshellarg($_GET["v"]);
shell_exec("sudo /var/www/html/SCRIPTS/c/jmsend/serial_tx $ric");
You should also be aware of the differences between exec() and shell_exec(), specifically that you can't check for a failure using shell_exec().
$ric = escapeshellarg($_GET["v"]);
exec("sudo /var/www/html/SCRIPTS/c/jmsend/serial_tx $ric", $output, $return);
if ($return !== 0) {
// let the user know something didn't work
}
This assumes, of course, that your executable is written to return appropriate error codes.
I need to run a cPanel script from the command line via PHP's exec function (other cPanel options are not viable). The command is roughly:
uapi --user=[user] Email suspend_incoming email=[user]%40[domain].[tld]
I was getting the following error:
setuids failed: Attempting to setuid as a normal user with RUID ***
That in turn led me to realize that the user under which PHP runs does not have permission to execute that command which lead me to this thread. However just as you're not supposed to CHMOD files blatantly as 777 I don't want to blindly enable all commands for this user when using sudo from the command line or PHP's exec script.
How do I only allow the uapi command (also multiple specific commands) to be executed by this user when using sudo via an edit to the sudoers file?
You can give a user access to execute a command as root via an entry to sudoers file like so (assuming www-data is the PHP process owner user):
www-data ALL=(root) NOPASSWD: /path/to/uapi
Obtain the path to the uapi file via the command which uapi. You should carefully consider the security implications of this action.
This UNIX stackexchange question has a nice detailed explanation of the sudo entry syntax.
I'm trying to execute with PHP a command (rsync) to copy folders and files from a remote server to a local folder.
This is the code I wrote in php. Command WORKS in SSH (local Terminal and remote with putty.exe), copying correctly the folders and the files.
But it doesn't work in PHP. What can I do? Do you know a better(secure/optimal) way to do this?
exec("echo superuserpassword | sudo -S sshpass -p 'sshremoteserverpassword' rsync -rvogp --chmod=ugo=rwX --chown=ftpuser:ftpuser -e ssh remoteserveruser#remoteserver.com:/path/files/folder /opt/lampp/htdocs/dowloadedfiles/", $output, $exit_code);
EDIT:
I had read this guide to create a link between my server and my local machine.
Now I can login with ssh in my remote machine without password.
I changed my command:
rsync -crahvP --chmod=ugo=rwX --chown=ftpuser:ftpuser remote.com:/path/to/remote/files /path/to/local/files/
This command works too in terminal, but when I send it with exec php command, it fails again, but I got another different error: 127.
As MarcoS told in his answer, I checked the error_log.
The messages are this:
ssh: relocation error: ssh: symbol EVP_des_cbc, version OPENSSL_1.0.0 not defined in file libcrypto.so.1.0.0 with link time reference
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: remote command not found (code 127) at io.c(226) [Receiver=3.1.1]
Well, after lot of try/error, I finished to cut the problem in the root:
I readed this guide (like the last one, but better explained) and I changed the php file that execute the rsync command to the remote server (where files are located) and run the rsync.php file there, and it worked perfectly.
To execute in the machine with the files (the files to copy and the rsync.php)
1.- ssh-keygen generates keys
ssh-keygen
Enter an empty passphrase and repeat empty passphrase again.
2.- ssh-copy-id copies public key to remote host
ssh-copy-id -i ~/.ssh/id_rsa.pub remoteserveraddressip(xxx.xxx.xxx.xxx)
The rsync.php file:
exec("rsync -crahvP /path/in/local/files/foldertocopy remoteuser#remoteserveraddress:/path/in/remote/destinationfolder/", $output, $exit_code);
After all of that, navigate to the rsync.php file and all must work. At least worked for me...
I suppose you are experiencing identity problems... :-)
On a cli, you are running the command as the logged-in user.
On PHP, you are running the command as the user your web server runs as (for example, apache often runs as www-data, or apache user...).
One possible solution I see (if the above is the problem real cause), is to add your user to web-server group...
I'd also suggest you to check the web-server error logs, to be sure about the real cause of the problem... :-)
I have the following folder on my server, with the following files:
error-2015-12-20.log
error-2015-12-21.log
error-2015-12-22.log
And I written a PHP script that packs into .tar.gz with names earlier than the current date, moves the packed file into another partition, and removes the input files. It's done via exec().
The problem is that all of those operations require me to use sudo and provide password.
How can I deal with this?
Are you familiar with Linux file permissions?
If you want to execute a script you have to have the right to do so (by being in the group/owner with executable bit set), and if you want to read files you also have to have the right to read those files.
Otherwise you are forced to execute the file as sudo, because root can access all files.
Learn about this here: https://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions
As stated above it's a permission problem, to solve this let instruct sudo to let your php script run without prompting for a password:
Create a custom sudoers file :
sudo visudo -f /etc/sudoers.d/90_your_user
Copy the following contents in the newly created file (customizing the relevant section):
Cmnd_Alias PHP_SCRIPT = /path/to/my/script.php param1 param2
Cmnd_Alias ROOT_PROGS = PHP_SCRIPT
# Programs allowed to run without password prompt of your_user
your_user HOST=(root) NOPASSWD:ROOT_PROGS
You can then execute your program with sudo /path/to/my/myscript.php without permissions problem and without sudo prompts you for your password.
I'm trying to run a script as root user. here is my code
echo shell_exec("sudo bash.sh 2>&1");
It's giving error
sudo: no tty present and no askpass program specified
www-data is not in the sudoers file. This incident will be reported.
I've followed these methods as well but end up with no permission error
There are a couple of issues you might encounter:
The user that is running the php process must have sudo rights (check with visudoers command)
There is no environment set, so the $PATH variable does not include the path to the sudo command
sudo might require a password. Either change the sudoers file, adding NOPASSWORD, which would be hugely unsafe. Or you have to use pipes (proc_open), and pass the password through the stdin pipe
I've managed to find a way to do so, but after some help from people on this site:
load .profile with proc_open()
proc_open interaction