I have a simple PHP script:
exec('git pull origin master', $shell_output, $output);
print_r($shell_output);
print_r($output)
When I call this via CLI php git.php, it works fine. I get the expected output, and a return value of 0. When I visit the page via a web browser, it fails with a return value of 1.
I've set file permissions to 777, and ensured php.ini doesn't block the exec() function.
The CLI runs with the currently logged in user's (you) credentials and it's most probably different from what the web server process uses. Do a exec('whoami') etc. to verify.
I was able to fix the issue with some help by Ates Goral.
To debug the issue, I ran:
sudo -u www-data php git.php
to see how the script behaved when run under the www-data user. There were two issues:
www-data did not have its own public key. I created one and added it to the github repo.
And the .git folder was not readable by www-data. This was fixed by chowning the directory to give permissions to the group www-data that both I and apache belong to.
Related
I am trying to transfer files from one server to another with the code below.
rsync -avz -e "ssh -i /root/.ssh/somekey" /var/www/admin/somefiles.txt root#xxx.xxx.xxx.xxx:/var/www/html_public/some-folder/
It works just fine if I do this on putty but if I do shell_exec this code on a php page and run the page on a browser. It does not work. It returns an empty string.
I hope someone can help me with this. Thanks in advance.
First, you need to check if you need to be a root or (sudo user) for running rsync.
If yes then exec() command will only work if it is run by same user on php-cli (not on browser by Apache user). i.e. Which user you are loggined into shell for run rsync.
If it is root or any elavated permission user with sudo permission then, This rsync command may not be available to apache/www-data user which is working when php script run from browser.
So You try to make a normal user and login through it, Then try rsync if you are successful then it may be interesting to see what are other problems can be, But if you getting access/permission denied then obviously you can not run this script at-least on browser.
Besides this One more thing permission may not be directly related to rsync command itself but with folder /etc/test/ which is owned by root user in normal scenario.
I've recently set up my Apache2 Server on my Linux machine. Now I've wanted to execute a PHP script (index.php), which runs a shell script (foo.sh), which creates a folder in my home directory, but the directory was not created.
These are the original two files:
foo.sh:
#!bin/bash
mkdir /home/lorenzo/testDir
index.php:
<?php
exec('sh test.sh');
?>
So, I thought maybe the problem occurs because of privileges or something, and indeed after I changed the files to that:
foo.sh:
#!bin/bash
echo "Hello world"
index.php:
<?php
$temp=exec('sh test.sh');
echo $temp;
?>
I saw the output Hello World on my website.
So the PHP script is executed and it runs the shell script. But why can't the shell script execute the mkdir command?
This indeed is most likely a permission issue.
You first have to figure out which user apache runs at. This is usually www-data (on Debian-ish Linuxes, such as Ubuntu) or apache (on RedHat-ish Linuxes) or something along the lines. A ps -eF | grep apache will reveal the user.
After you figured that out, make sure that the apache user has the appropriate rights in your home directory. You can either add it to your user group (using usermod -a -G ... and then chmod g+w ~) or allow writing for all users (chmod o+w ~).
But, both of this is a bad idea. Your php script (or anything else running as the apache user) can be broken into and cracked, leaving you home directory open for malicious attackers to modify and rm -rf.
In addition, if you’re running a RedHat-ish Linux, you will run into SELinux which by defaut prevents apache from accessing user directories at all. In that case, you also have to set setsebool -P httpd_enable_homedirs on.
Instead, I would recommend that you use a different directory and give your user full access to that. Something along the lines of /var/www/testDir with the apache as owner and group, and adding yourself to the apache user group is probably a sane idea.
It looks like a permission issue. Make sure that Apache has write permission to that directory
You may have permission issues on the server. Try to use chmod -R 775 <dirname>(or 777) in your ssh command line. You can do this in php code with chmod() too but I don't suggest you because it would run it everytime the php code runs and changing it more times is pointless. It can output to the screen but I bet the directory the script wants to make file has permission 755. Try to check it.
I have a couple of bash scripts on a Centos box which I use to do basic server admin stuff like restart services, etc. I run these as a standard user who is also the scripts' owner.
I tried to run these using shell_exec() in PHP, with the apache user, but it simply doesn't work - I'm guessing it doesn't have enough permissions (even with 775 and being in the correct group!) to run everything I want it to.
I've tried editing the sudoers file giving apache permission to run the script calls but it still doesn't work and has no error messages that I can see.
Any thoughts? How can one trigger a script from a web page which requires a different user to run?
check under which user is running apache ( for debian it is www-data)
add www-data in sudoers list with permission to execute files that you like
check which shell has www-data user in /etc/passwd (you will need to give valid shell)
run script with /bin/bash -x (it will output for sure)
Make sure safe mode is off. Also verify the user is the one you expect:
<?php echo exec('whoami'); ?>
I have a PHP file, hook.php, that looks like this:
<?php
`cd .. && git pull`;
The file is located in /var/www/oliverash.me/site/. However, the git repository that needs to be pulled is /var/www/oliverash.me/. ./site is the folder Apache looks to as the document root.
When I run the file in my browser, it does not seem to be pulling the repository.
I have also tried to echo the result, but the page is blank.
<?php
echo `cd .. && git pull`;
I can't post a comment in reply to you, but I am assuming that you are running a *nix system. You will be getting a permission denied if your apache/php daemons don't have permission to access .git/. You can change the owner/group of the .git/ directory recursively. Or do a chmod -R o+rw .git/* to give everyone (ie, not owner, not group) access to read and write in the git directory, which should clear up the permissions error that you are getting.
EDIT
Just re-read the question, so what follows probably isn't needed, but leaving it just in case.
Though, doing that, you need to keep in mind that anyone with access to your server will be able to go to http://myurl/.git/ etc to access those. So as a security precaution, I would add a .htaccess file like:
order deny, allow
deny from all
in the.git directory so that apache will deny access from a web browser to everything in there.
You've certainly got a permissions issue, maybe a couple.
The php page is going to execute as the apache user
That user must be able to write to the git repo in question
That user must be able to do the pull in question
You didn't specify what the source of the pull is, but if it's, for instance, a git: or ssh: repo, then that user will need perms (keys, username/password, whatever) to access the remote to do the pull from.
Just saw that it wants /var/www/.ssh - so you're using a ssh:// remote, which is fine, but since it's running as user apache (/var/www is user apache's homedir), it's looking for keys in /var/www/.ssh, which it's not finding, hence the failure. Solutions:
use sudo to switch to a user that does have perms and run the git pull as that user (in your php, do 'sudo git pull', and in your /etc/sudoers put a line allowing user apache to run the 'git pull' command)
set up a .ssh/config file that specifies a Host that's the remote, a User to use to login, and an Identity that is the path to the private key that the remote will allow to ssh in and do the pull.
create webhook.php in the root or anywhere from where you can access it
$result = exec("cd /path/to/repo && git pull origin branch");
make sure the permission is 775 and user of your file and your site directory is www-data owner
You are having a problem with the user here that is executing the command.
According to your various comments, the system commands are executed as the user named apache (homedir is /var/www). You can verify this by running the whoami command from within your PHP script:
<?php echo `whoami`;
That user named apache is commonly the user your webserver runs under, which then runs PHP which then runs the shell commands.
Obviously you want to run the command as some other user, but you have not shared so far the information which one.
Run the shell command under the right user and the problem should go away.
On a linux system, the command to run other commands under a different user is called sudo, another one su:
sudo(8) - Linux man page
su(1) - Linux man page
Alternatively you can make use of suexec to execute PHP under a different user than the webserver user.
In any case you need to ensure that you have a user that is able to execute the git command. I have no clue how you tested that on your own, best way I know is to ssh into the server box, do the git pull manually and collect the needed data like user-name, homedirectory etc. .
I am currently over ssh on a remote CentOS 5.6 system which runs an Apache webserver. I need to use the poppler pdftohtml binary which, unfortunately, is not currently installed on that machine. So I downloaded the poppler package and built it under my user folder. Since I I am not the system admin, I didn't do
make install
and I have all my compiled files under
/users/myfolder/poppler-0.18.2/
The file that I need to execute through php shell_exec() is
/users/myfolder/poppler-0.18.2/utils/pdftohtml
If I execute it through my ssh bash, I get the correct output. If I, instead, put this line on a php script:
echo shell_exec("/users/myfolder/poppler-0.18.2/utils/pdftohtml");
I get the following output:
sh: /users/myfolder/poppler-0.18.2/utils/pdftohtml: Permission denied
I tried setting to 777 the file permissions, which currently are -rwxrwxrwx. I also noticed that using shell_exec("whoami"); results in "apache". Shouldn't apache be able to execute the script if the file permissions are -rwxrwxrwx?
I also know that installing poppler through make install would solve the problem but since this is for testing purpose, I would like to avoid "contaminating" the system outside my personal folder until the testing is complete.
Thanks to anyone who will help!
Just because a file is executable for a user does not mean that user is actually able to execute the file. The user needs to also be able to 'get to' the file: The user needs execution permission for all 'parent directories', in your case for /users, myfolder, poppler-0.18.2 and utils.
Assuming /users is the same basic thing as /home, everybody should have +x on that. From there, you can set it: simply do chmod o+x /users/myfolder /users/myfolder/poppler-0.18.2 /users/myfolder/poppler-0.18.2/utils
(Note: This will make it possible for everybody to execute this binary, not just Apache.)
If the apache user and you share a group, it would be better to use chown the poppler directory and everything in to be owned by that group, and set g+x instead of o+x.