Is it possible to checkout specific branches from a Git version control system using a PHP website? All I need is a single webpage that lets me select any of the available branches and do a checkout after pressing a button (after authentication ofcourse).
Making a script to list all the available branches and display the page is easy, but the PHP script does not have sufficient rights to run a Git checkout. I can run the webserver (either Apache or Nginx) as root, but obviously that would be far too big a security risk.
How can I initiate a Git checkout from a PHP web script with min
I had the same problem and my solution was to just chown the whole site to the apache user. Now your PHP script can run the git checkout.
This solution is not 100% ideal for security, because now buggy scripts can change scripts in your webfolder. The proper solution for this would be to write a daemon than runs as a privileged user and runs only very specific commands for the apache user on request. I only needed a solution for our dev webserver, so the daemon would have been overkill.
Better set up a git server, using e.g. gitolite (search in Google). It even handles key setup and such for you.
Related
I am a newbie here, I am having a bash script which can be executed through terminal with sudo permission only. I want to run it from PHP with proper security. I dont know where to start to accomplish this considering security in mind. Should I create a additional user or what Will be the better way to achieve this. I got a reference with Running command-line application from PHP as specific user, but I am using Nginx and the mentioned solution does not work for me.
NGINX is a web server and not the interpreter. It is not very relevant.
In the standard NGINX + PHP-FPM setup, you should have a separate system user for your website anyway. So you don't need to create an extra user just for that command.
Simply ensure that this "website user" is able to sudo run your script, without being prompted for their password. This is achieved by visudo.
example ALL=/path/to/your/script
Where example is the PHP-FPM pool user, aka, the "website user" and the owner of the website's files.
My company have a cloud dedicated server, hosted in google cloud, running centos 7 with apache2, php5.5 and mariadb running.
The webserver is running a private application for business clients and companys. Every client has his own database and subdomain, so they, and their own clients can access his applicacion going to http://theirname.example.net/
I've created an interactive command line script for client creation. It creates user and secure password, ftp custom folder, create mysqldatabase and populate it with a sql file, create subdomains and other thing. Also i've made another version of this script with no user interaction, receiving parameters as the client name via command line arguments ( /path-to/script.sh usertocreate mysqluser mysql pass).
So, here is the deal, i want to create a web interface, password protected, just available for my company IP address, this interface should be able to run these SH scripts (not the interactive ones) with sudo permissions.
I was thinking on create a subserver in other port (like http://example.org:2501) using another instance of apache (or other webserver) which runs with a specified user with sudo permissions enables only in the neccesary folders.
Before doing anything, i've created a PHP script which runs commands to console, and tried to run SUDO commands with that. Allowing apache user to sudoers list (just to make it work during develop). I could run these scripts from my web app without SUDO permissions, but they where not working at 100% (since some commands require SUDO). When i try with sudo i receive a code 127 error responde (permission problem).
I stopped there and decided to investigate the best way to do this.
I have full control of the server machine. Apache2 and everything normal is running well. (mariadb, proftpd with passive mode active -100 ports added- )
SELINUX is DISABLED. Firewalld Running
SSH is available for use
I can install another webserver in another port to accomplish this. If a lot of HTTPD configurations should be changed to accomplish this, i will preffer to install another webserver
I can also install any 3rd party software.
I'm a PHP Developer with low experience in other programming languages, if it's necesary to invoke any other programming language to do this (maybe like Python) i would love some docummentation links
Access to this web application would be limited only to my company's static ip address and will be protected
Any thoughts/ideas ? Thanks in advance
PS: If someone want to edit my text and add some colours and format, edition will be aprovved
EDIT TLDR: I want to run another httpd in another with a webapi. This webapi should can run console commands as SUDO. Access to this webserver will be limited to my company's IP. I'm not sure if this is the best way to do it and i want opinions. Also, i'm not pretty sure if its possible to run sudo commands from php without any trouble.
.. and sorry for my english ..
I have something like IS written in PHP and I would like to make updating system for my customers. Here is my vision:
I upload new version to ftp server (or web server)
After click on update, system should compare version (done), backup old scripts (done) and make update like rsync. Delete deleted, change changed, add new files and folders.
For rsync I have to make ssh hole to my server and I don't want to do it. I found zsync, but it is designed for files, not for folder system.
Is there any easy way to do it? Some smart linux utility or some already done script in PHP?
Thanks for answers!
rsync can run on its own port, without any ssh involved at all: https://help.ubuntu.com/community/rsync#Rsync Daemon
But this assume you're comfortable allowing the world at large to access your program. Do you want to restrict it to just your customers?
You could also publish your source via git; git can also run as a daemon http://www.kernel.org/pub/software/scm/git/docs/git-daemon.html without requiring ssh. Again, it assume you're comfortable with the world at large getting your program.
Is there a way to distribute a PHP program like a desktop app, so that even if the user of the app doesn't have a local server environment setup on there PCs, the app will still work?
I was thinking, if there was some type of portable server environment program which includes PHP/Apache, then we could create a batch file which when clicked would start up apache in the portable program and launch the PHP app in the user's default browser. That way PHP apps could be distributed like desktop apps.
But the question is, is there such a portable server environment program that can be used for this?
Yes, if you google for XAMPP portable, you can find several versions of fully portable, fully functioning xampp servers for the go. You would have to make sure it contains all the security settings and extensions you need.
The file your user launches should be an .html file to be sure it opens in your browser. As you need to point the user to his own localhost to run your app (otherwise PHP won't be executed and he'd see a plain html file), you'd have to create a redirect, possibly using javascript or a simple "click here to start" link.
The XAMPP only provides half of the solution:
In addition to the XAMPP you can use Phar files that give you the ability to package your PHP applications as a unit for installation and/or deployment.
You can configure a separate php file which will handle any database creations and initial configuration which can be set to run on the first time.
For a helpful start guide consider the following link:
http://phpmaster.com/packaging-your-apps-with-phar/
Finally if you want to make it seamless (easier) to the user, consider writing a Batch script which will handle running some of the task required (Such as starting apache and mysql and running run.php). Take note of using relative rather than absolute directories to make script development easier.
Here is how our current php development solution is set up:
Each developer work on their local machine.
Each developer commit their change to a common SVN server (intranet).
A commit hook upload the change to the staging server and perform validations tasks.
When the product is ready, manually deploy it to the production server via SFTP.
Note: Most - if not all - of the time I don't have SSH access to the server, only SFTP.
I could automate the deployment to the production server in the same way the staging server is updated but this solution works only one-way. How can I revert to a previous revision in case of problems?
How can I improve this solution?
Thanks and sorry for my English.
If you can set up the production server to access the SVN repo via a secure channel, such as https with webdav maybe try the following:
Create a script on the Production server that allows you to enter a tag directory and/or revision number/date and perform an svn export. This way, the prod server is pulling the changes from svn.
Now, if you have a way to have this script called securely from, say a commit script. Voila, you have automation.
Most importantly, you do not want an automatic update performed to the prod server that you were not planning for.
To solve this:
The commit script should only call the prod update script when something is committed to "/path/to/tags/release/dir"
Make sure only appropriate change control staff (or whoever currently controls the manual prod deplyment) have the ability to perform an svn copy to this directory in the repo.
For example, say your repo is set up as:
/yourWebsite
--> /branches
--> /trunk
--> /tags
----> /releases
The commit that would trigger the auto deployment to prod would be something like:
svn copy https://mySvnRepo/yourWebSite/trunk \
https://mySvnRepo/yourWebSite/tags/releases/x.y \
-m "Tagging for production deployment"
Rolling back can be achieved by making a commit to a previous releases directory. Note however, that this will not cause new files that were added to be rolled back.
Of course, your mileage may vary; this is only a suggestion for your investigation.
You should take time to consider the security implications and potential for disaster if set up incorrectly.
Hope this helps, even if only to get you thinking of other solutions.