I'm trying to use proc_open() to execute a program and print the results. However, I keep getting 'Permission denied'. Have set chmod to 0777 for the script and executable, but to no avail.
ini_get('safe_mode') is false.
What could be wrong?
I'm using CentOS, Apache and PHP 5.3.3.
I had this problem with an identical setup, and the problem turned out to be SELinux (which is on by default) preventing httpd from executing my external programs. The problem, as I understand it, is that httpd has its own domain and can't touch things outside it. So, the simplest thing to do is to move your scripts into the /var/www directory and reset the file contexts:
restorecon -RF /var/www/
If that's not possible, you can instead change the context of your program in-place:
semanage fcontext -a -t httpd_sys_content_t "/path/to/program(/.*)?"
which will basically say that your program belongs to httpd.
Related
I am unable to run a bash script using sudo with the shell_exec() function in PHP. I get an error saying:
Sorry, user apache is not allowed to execute '/bin/bash /var/www/html/private/createFTP.sh' as root on test.server.com.
PHP:
shell_exec('sudo bash /var/www/html/private/createFTP.sh 2>&1');
Visudo:
apache ALL=NOPASSWD: /var/www/html/private/createFTP.sh
If your web server is in chroot jail then that will cause this type of error. If you are running a chrooted server, make sure you mirror across your /etc/sudoers file to the jail filesystem too and adjust for the chroot directory structure when setting up sudoers file as well as your script will have moved once you are in chroot. Also check you have the sudo libraries and executable in the jail filesystem as well.
If i run lpr from root, or even run from apache
runuser -l apache -c 'lpr -P RICOH_Aficio_2032 -r /var/www/html/website/tmp/test.txt'
works like a charm.
However, when i print using php_exec
exec('lpr -P RICOH_Aficio_2032 -r /var/www/html/website/tmp/test.txt 2> /var/www/html/website/tmp/error.txt');
i get the following error
lpr: Permission denied
I even set apache as the owner of test.txt
Php exec works when i use ls, cat ecc.
But lpr and lpstat don't work.
What's wrong?
Note: i'm on Centos 6.8 with php 5.6
After some research, i found the problem.
Selinux didn't let the httpd service access lpr/cups.
Disabling Selinux solved the problem.
Note: i don't need Selinux in my situation, but if you faced the same problem, note that disabling Selinux can be a security flaw, especially if the server is accessible outside of your network. Just add the rules to Selinux to let httpd/php do it.
I'm trying to get an image of the raspi camera via a php script.
It's installed php5, apache2 and all necessary stuff.
Snippet: /var/www/img.php
if(isset($_GET['pic']))
system("sudo raspistill -w 512 -h 320 -o /var/www/img/img.jpg");
When I run the command directly in the terminal it's working, but the php script not. With sudo php /var/www/img.php?pic I'll get an error:
Could not read input file: /var/www/img.php
First I thought it's a problem with the permissions, but isn't working even with root privileges.
Have anybody an idea? I'm really depressed..
Thanks a lot!
Solution
first it's necessary to change the owner of the apache directory:
sudo chown www-data:www-data -R /var/www
After that it's not necessary to prepend sudo:
exec('raspistill ...');
It's also possible with popen, system, ...
I've been at this for two days now and haven't been able to find any way (good or bad) of doing that to work.
I have to be able of dynamically mounting drives over network from my website's pages (that part is inevitable).
I have no problems doing it directly on the console with the following command
mount -t cifs //IP-REMOTE-MACHINE/Folder -o username=username,password=password /mnt/share
Obviously trying to just do a shell_exec() of this command wouldn't work with no root rights.
I tried to shell_exec() a script in which I would switch to root user (via su or sudo mycommand) but both of them wouldn't work (never been able to succeed in doing a script who would automatically switch my user to root even with the root pwd hard coded (even if that feels an extremely bad idea I could have accepted that atm).
After that I tried to use pmountbut never found a way to access to a remote shared file (don't think it's even possible but I may have missed something here?)
All that is running on a Debian machine with apache2.
I have a wild idea...
You could set a cron to run as root that checks for mount commands from your script. The script would simply set a mount command to be processed, and when the cron gets to it, runs the mount, marks the command as processed, and writes to a log file which you could then display.
It's not safe to run sudo commands with www-data (the user for web servers in Debian).
But if you want to run sudo [command] in a php script, you must add the user www-data in sudoers: http://www.pendrivelinux.com/how-to-add-a-user-to-the-sudoers-list/
And then you can exec: sudo mount ...
EDIT: It's safer to add in visudo:
www-data ALL= NOPASSWD: /bin/mount
To allow www-data to use only sudo /bin/mount
I have subversion installed on CentOs 6.4 and want to write a script (from my understanding a shell script) to run a couple of commands. My issue here is not writing the shell script but more providing a parameter to the shell script (so a function in a way) to be able to complete the request.
In essence I want to do the following:
Run script with parameter from SSH ("somscript reponame")
Create repo: svnadmin create /var/www/svn/reponame
Change repo owner: chown -R apache.apache /var/www/svn/reponame -R
Do security changes: chcon -R -t httpd_sys_content_t /var/www/svn/reponame/
And chcon -R -t httpd_sys_rw_content_r /var/www/svn/reponame
Create default directories: svn import -m 'Initial import' /tmp/svn-structure-template/ http://domain.com/svn/reponame/ (localhost is not accepted by stackoverflow)
Can anyone offer some guidance or perhaps provide an alternative I can use? Would a PHP script work (so to run it from a browser and use a query string of some sort and would this not cause some security issues as apache is the default owner and some of these may require root / sudo access).
Thank you in advance!
As Fausto said in the comment, standard Bash parameters should work fine. At ProjectLocker, we use scripts similar to what you're describing to provision new Subversion repositories, and you should just be able to reference "$1", "$2", and so on in the script.
Incidentally, you don't have to import to the http:// location if you're running on the machine with the instance, if that makes things harder. You can do:
svn import -m 'Initial import' /tmp/svn-structure-template/ file:///var/www/svn/reponame
although I'd recommend testing that first to make sure that doesn't cause an undesired permissions change. If it does, you can simply run it before the apache permission flip and the lockdown.