Can anybody help me? I'm using sphinx searcher, but i have many databases. I dynamically controll them (change the sphinx config file ), but after i add an index to the config file sphinx needs to be restarted. I have created an bash script for doing this (stop shpinx, start it, indexer --rotate --all ) and when i run the script from terminal it is ok, but when i run from apache server it is not working. How can i do this without changenig the owner of the apache server to root ( it will decrease the security of my server )?
How can i do this without changenig the owner of the apache server to root
How about sudo? Put something like this in your sudoers...
apache ALL= NOPASSWD: /path/to/script command
The catch is to make sure that the script cannot be exploited... as it is running as root... ie is read-only + exec for apache, ensure that commands/switches you send to the script are sanity checked.
I hope that helps,
Kind Regards,
Nick
Related
I have a page thats called form a browser which at the end needs to run one command as root. I am very well aware of the security implications of running shell_exec commands from the browser, so I have locked down my sudoers file for "apache all no password" to the one command:
apache ALL = (ALL) NOPASSWD: /usr/sbin/rndc
I have made my PHP page hard-coded so no part of the command is run from user-accessible inputs.
This process just refreshes the config for Bind9 (named) by issuing
shell_exec("/usr/sbin/sudo /usr/sbin/rndc reload");
However, it seems this does not run, but when I have make /bin/bash the default shell for apache and as apache, this process runs when I try it in apache shell:
[root#localhost zones]# su - apache
-bash-4.2$ /usr/bin/sudo /usr/sbin/rndc reload
server reload successful
My whole PHP code:
<?php
error_reporting(E_ALL);
$result = shell_exec("/usr/bin/sudo /usr/sbin/rndc reload");
print_r($result);
?>
I get no responses. Any ideas? SELinux is now set to permissive.
turned out to be the require_ttl parameter in my sudo files. Apache was erring in /var/log/httpd/error_log.
Thats to those who viewed :)
I have a php script. I am using nginx and spawn-fcgi.
spawn-fcgi -n -s /tmp/nginx9010.socket -u www-data -g www-data -f /usr/bin/php5-cgi -C 6
How can I test from the command line that spawn-fcgi is working with the script?
e.g. I have a script in /home/ubuntu/test.php
I am having issues with nginx and executing a php script. It prompts for a download.
I have #!/usr/bin/php in the file and did a chmod a+x as well.
Thanks
For testing a FastCGI backend you could try to create a CGI environment and use cgi-fcgi to connect to the backend
You could attach with strace to see what the backend does (for example whether it even receives a request from the web server); attach with -ff to the master process to see syscalls on all workers
php5-cgi in FastCGI mode doesn't need a shebang line nor +x on the files - it doesn't use the kernel to execute them, it just loads them as simple files
Firefox (and probably other browsers too) often cache the mime type, so you will see a download prompt even after you fixed the problem. Use curl for testing!
nginx won't serve the file it passes it to php, nginx only serves static files, So if it is downloading the php file you might need to check that your are sending php files to the correct place, are you using an IP and PORT in the php location block in the config file ?
Only a guess of the top of my head whilst on the train home.
FWIW, problems like that nginx offers the file to be downloaded are due Nginx serving the files itself without sending them to fastcgi backend, often because of try_files or wrong location {} block matching to the uri.
I have XAMPP installed on Windows 7. I need to stop and start Apache many times every day.
Currently, I do this by opening up the Xampp control panel, clicking 'Stop' (next to 'Apache'), waiting for it to stop, then clicking 'Start'.
Ideally I would like to be able to do this more quickly - something like right click the Xampp icon, and choosing 'Restart Apache'. Or, even better, just a shortcut key that restarts Apache.
I know that there are two bat files with Xampp - apache_stop.bat and apache_start.bat. I've tried utilising these to get want I want. However, when you run apache_start.bat, you get a cmd window that you can't get rid of. I couldn't find a way to start Apache silently in this way.
So, basically I want to be able to quickly restart Apache (one click/shortcut key), completely silently.
Thanks in advance.
Copy apache_start.bat and rename it to apache_restart.bat.
Change the line apache\bin\httpd.exe to apache\bin\httpd.exe -k restart
Voila, there you go with your restart script.
and you can also give it a shortcut.
If you have the Apache service monitor in your system tray, you can just open that (right click, I think?) and click "restart Apache".
If it's not in your system tray, you can find it in the /bin folder of the Apache installation (called ApacheMonitor.exe). I'd recommend making a shortcut to it in the "Startup" folder.
For me, with the version 3.2.2 the first answer didn't work.
I've put together a script from the two apache_start.bat and apache_stop.bat files.
#echo off
cd /D %~dp0
echo Apache 2 is stopping...
apache\bin\pv -f -k httpd.exe -q
if not exist apache\logs\httpd.pid GOTO exit
del apache\logs\httpd.pid
echo Apache 2 is re-starting ...
apache\bin\httpd.exe
if errorlevel 255 goto finish
if errorlevel 1 goto error
goto finish
:error
echo.
echo Apache konnte nicht gestartet werden
echo Apache could not be started
pause
:finish
#adrianthedev's version didn't work for (XAMPP v3.2.4) me but helped me find a solution.
It's a lot less sophisticated as I don't know much about scripting but here it is and it worked for me:
#echo off
C:/xampp/apache/bin/httpd -k stop
C:/xampp/apache/bin/httpd -k start
Note: apache\logs\httpd.pid doesn't need to be deleted as it's done already by the httpd -k stop command.
I am trying to run a command line file conversion using open office.
openoffice pdf filename.doc 2>&1
when i execute in command line as root it works fine and the file is converted. However when i pass the above command in a PHP file as apache user, it does not execute.
I tried all three PHP command line execution:
$command_output=system($command_line,$rtnval);
$command_output=exec($command_line,$rtnval);
$command_output=passthru($command_line,$rtnval);
Also,
echo print_r($rtnval);
echo print_r($command_output);
$rtnval returns 1 and $command_output 1. I am confused unable to know what is the linux (centos) response to above command passed. It is very frustration because unable to know what the system response when i try to execute the command.
I also included /etc/suders permission for apache to run the open office command.
apache ALL: (ALL) NOPASSWD: /path/to/openoffice
still the command is not execute in PHP as apache user.
What am i missing for PHP as apache user not to execute this command?
It could be that openoffice is not in PATH. Try to execute it with the full path.
To run your command as if you were the apache user, just try this in a shell:
# switch to superuser
sudo su -
# then switch to the apache user
su - www-data
You will find yourself in a quite restricted shell, from which it is usually not possible to start openoffice. Indeed, it requires a lot of environment, that would be unsafe to completely set up for apache anyway.
AFAIK, better create a dedicated user that is allowed to run your command (eg a regular "www-runner" user), then "su" to it from PHP. Other security measures include chroot'ing the dedidacted user, or using apparmor to limit what and where it is allowed to run. In any case, never let www-data run something as root by adding www-data to the sudoers: this is way too dangerous!
You can also have a look at libapache2-mod-suphp (a suid apache module to run php scripts with the owner permissions).It is easier to use than the dedicated suEXEC apache beast (http://httpd.apache.org/docs/2.0/suexec.html). The latter really is not for a quick fix ;)
It is possible that your php in apache runs in safe mode or what's it called, in which system() function and alike are disabled.
This answer, actually, assumes that what you call "running as apache user" is in fact running in apache environment, whatever it is.
I have a script in /var/www/myscript.sh which creates folders and runs the command svn update for my projects. I need to execute this script by calling it in a PHP file in the browser (i.e. Localhost/test.php). I tried using functions shell_exec() and exec() but those did not work. I ran my shell script in terminal with su www-data && ./myscript.sh and it worked. What else am I missing?
<?php
$output = shell_exec("./myscript.sh");
?>
Update 5/4/2011:
I added www-data ALL=(ALL) NOPASSWD:ALL to /etc/sudoers and it works, but this is very insecure. Is there another way to do this?
Several possibilities:
You have safe mode enabled. That way, only exec() is working, and then only on executables in safe_mode_exec_dir
exec and shell_exec are disabled in php.ini
The path to the executable is wrong. If the script is in the same directory as the php file, try exec(dirname(__FILE__) . '/myscript.sh');
You might have disabled the exec privileges, most of the LAMP packages have those disabled. Check your php.ini for this line:
disable_functions = exec
And remove the exec, shell_exec entries if there are there.
Good Luck!
Residuum did provide a correct answer to how you should get shell exec to find your script, but in regards to security, there are a couple of points.
I would imagine you don't want your shell script to be in your web root, as it would be visible to anyone with web access to your server.
I would recommend moving the shell script to outside of the webroot
<?php
$tempFolder = '/tmp';
$webRootFolder = '/var/www';
$scriptName = 'myscript.sh';
$moveCommand = "mv $webRootFolder/$scriptName $tempFolder/$scriptName";
$output = shell_exec($moveCommand);
?>
In regards to the:
i added www-data ALL=(ALL) NOPASSWD:ALL to /etc/sudoers works
You can modify this to only cover the specific commands in your script which require sudo. Otherwise, if none of the commands in your sh script require sudo to execute, you don't need to do this at all anyway.
Try running the script as the apache user (use the su command to switch to the apache user) and if you are not prompted for sudo or given permission denied, etc, it'll be fine.
ie:
sudo su apache (or www-data)
cd /var/www
sh ./myscript
Also... what brought me here was that I wanted to run a multi line shell script using commands that are dynamically generated. I wanted all of my commands to run in the same shell, which won't happen using multiple calls to shell_exec(). The answer to that one is to do it like Jenkins - create your dynamically generated multi line of commands, put it in a variable, save it to a file in a temp folder, execute that file (using shell_exec in() php as Jenkins is Java), then do whatever you want with the output, and delete the temp file
... voila
If you are having a small script that you need to run (I simply needed to copy a file), I found it much easier to call the commands on the PHP script by calling
exec("sudo cp /tmp/testfile1 /var/www/html/testfile2");
and enabling such transaction by editing (or rather adding) a permitting line to the sudoers by first calling sudo visudo and adding the following line to the very end of it
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/testfile1 /var/www/html/testfile2
All I wanted to do was to copy a file and I have been having problems with doing so because of the root password problem, and as you mentioned I did NOT want to expose the system to have no password for all root transactions.