How to run from PHP a bash script under root user (with all permissions) and not nobody user - php default user?
thats my output after sudo visudo:
Defaults env_keep += "LINES COLUMNS"
Defaults env_keep += "LSCOLORS"
Defaults env_keep += "SSH_AUTH_SOCK"
Defaults env_keep += "TZ"
Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults env_keep += "EDITOR VISUAL"
Defaults env_keep += "HOME MAIL"
#User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
You can use sudo:
exec("sudo /your/script");
You should allow executing your script without password prompt. Run sudo visudo in console and add the following string to the end:
nobody ALL = NOPASSWD: /your/script
You must set up file mode properly to ensure that no one can modify this script and put dangerous contents into it (in root console):
chown root:root /your/script
chmod 755 /your/script
You can make a program which is set-uid root. This causes the program to always run as root. This doesn't work with shell scripts, so you have to use a program which calls your script.
Under Linux you normally do this using sudo. Try to be as specific as possible, so not to give the script too many permissions.
For examples on how to use sudo: http://aplawrence.com/Basics/sudo.html
I would add a specific rule to allow this script to be called by nobody user, using sudo.
I recently published a project that allows PHP to obtain and interact with a real Bash shell (as user: apache/www-data or root if needed). Get it here: https://github.com/merlinthemagic/MTS
After downloading you would simply use the following code:
$shell = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);
$return1 = $shell->exeCmd('/full/path/to/script.sh');
Related
I building one PHP application where I create command line functionality for Linux debian Jessie. All works fne but I need to be able use some commands like root user.
Is there a way to use shell_exec() or similar command to access like root user via PHP?
Idea of this command line is to people who have access to that server can handle with it over internet from any place or device.
Here is image of console:
Executing commands as root via PHP will leave yourself wide open to all sorts of malicious hackery.
Have a look at the "sudo" documentation.
You should be able to set up all the commands you need as "sudo"able scripts. It is much better to write specific scripts with limited functions than to expose the underlying priviledged command.
As in:
exec ('sudo getCurrentUser.sh')
First, you need to add the user that PHP is using to run (most of the time it is www-data) to the sudo group if it is not already assigned.
Then, in your php file:
use sudo -S, so you can pass the password via echo
$exec = "echo your_passwd | /usr/bin/sudo -S your command";
exec($exec,$out,$rcode);
if you have trouble with the paths - use
"bash -lc 'echo your_passwd | /usr/bin/sudo -S your command'"
so you get a new bash that acts like a login shell and has the paths set
Edit your sudoers file
sudo vi /etc/sudoers
Put this line
www-data ALL=(ALL) NOPASSWD: ALL
www-data is the php default user in linux ( replace if necessary )
Use
$output = shell_exec('sudo XXXX');
I need help, i have webinterface thar run this section in php:
$cmd="/usr/sbin/sudo /usr/sbin/service networking stop"
exec($cmd, $mes);
print_r($mes); #this is emptz message
$cmd="/sbin/ifconfig"
exec($cmd, $mes);
print_r($mes);
print_r($mes); For stop service is empty
print_r($mes); For ifconfig=array have all information about interface (but all are up not down so above mesagge not work well (this service still run))
This script is running via deamon user.
This is my visudo:
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
www-data ALL =NOPASSWD: /bin/nc, /bin/cp, /bin/chmod, /bin/chown, /etc/init.d/, /usr/sbin/service
deamon ALL = NOPASSWD: /bin/cp, /bin/chmod, /bin/chown, /etc/init.d/, /usr/sbin/service, /home/optokonlmcp/sss.php, /sbin/ifconfig
Please do you know why this php script not work ?
Thank you in advance
BR
MK
SOLUTIONS:
Create sctipt with rolus for root (root:root) and command what i need to do(sudo /usr/sbin/service ) command must contain sudo
add script into visudo+ all command that are meantioned in my Script:
Visudo containing:
daemon ALL=NOPASSWD: /usr/bin/sudo, /path_my_script/script.sh
Of curse cript must have rule for opening so i change rules for 755.
Now you can try run script with daemon, i use this command: sudo -u daemon /patch_of_script/script.sh
last point is add command into php: exect("sudo /path/./script.sh" )
Now i can restart network via php.
Thank you
BR
MK
Replace exac($cmd, $mes); with exec($cmd, $mes);
I have a php page that is trying to run a service restart using:
$list=shell_exec('sudo /sbin/service NetworkManager restart');
I needed to edit my sudoers file to let this happen. Thus:
#Defaults requiretty
and
apache ALL=(ALL) NOPASSWD: /sbin/service
When that failed, as a test I ran:
apache ALL=(ALL) NOPASSWD: ALL
I have run a shell_exec without the sudo command:
$list=shell_exec('whoami');
echo $list;
This returned "apache" as expected. So I ran:
$list=shell_exec('id');
echo $list;
This returned “uid=48(apache) gid=48(apache) groups=48(apache),10(wheel)”
I checked the permissions of the files against a working system that is doing the same thing and they matched up. After that just for testing sake I changed all file permissions to 777. Still nothing. In the apache error log I get the line "sudo: no tty present and no askpass program specified". As I understand it that applies to the #Defaults requiretty line in the sudoers file but as stated that has been commented out. I have done a bit more testing with it and my current entry in the sudoers file is:
#Defaults requiretty
ALL ALL=(ALL) NOPASSWD: ALL
I know not to run the server this way as it is a huge security risk but at this point I am at a total loss for what is locking me down. Selinux is off all permissions are 777 and the ownership of files matches a working system I have. With all of this and all possible security I can think of turned off I still have the “sudo: no tty present and no askpass program specified” line in my /var/log/httpd/error_log every time. The output of:
$list=shell_exec('sudo echo "yes" 2>&1 ');
echo $list;
Is also “sudo: no tty present and no askpass program specified”?
I could really use some help on this one. I have read every article for 4 google pages on this every way I can think to google it.
From command prompt run
sudo visudo
Then go to the last line of the file and add the following line:
%www-data ALL=NOPASSWD: <Your-Command-Here>
Hope this works!
Although my setup is a little different (I'm not trying to achieve it without a password), I use this in the sudoers file:
apache ALL=(ALL) ALL
Defaults:apache !requiretty
I then run things as:
echo '{password}' | sudo -S {command}
I want to execute a Bash script present on the system from a PHP script. I have two scripts present on the system. One of them is a PHP script called client.php present at /var/www/html and the other is a Bash script called testscript present at /home/testuser.
My client.php script looks like
<?php
$message=shell_exec("/home/testuser/testscript 2>&1");
print_r($message);
?>
My testscript looks like
#!/bin/bash
echo "Testscript run succesful"
When i do the following on terminal
php client.php
I get the following output on terminal
Testscript run successful
But when i open the page at
http://serverdomain/client.php
I get the following output
sh: /home/testuser/testscript: Permission denied
I get this error even after I did chmod +x testscript.
How do I get it to work from the browser? Please help.
I would have a directory somewhere called scripts under the WWW folder so that it's not reachable from the web but is reachable by PHP.
e.g. /var/www/scripts/testscript
Make sure the user/group for your testscript is the same as your webfiles. For instance if your client.php is owned by apache:apache, change the bash script to the same user/group using chown. You can find out what your client.php and web files are owned by doing ls -al.
Then run
<?php
$message=shell_exec("/var/www/scripts/testscript 2>&1");
print_r($message);
?>
EDIT:
If you really want to run a file as root from a webserver you can try this binary wrapper below. Check out this solution for the same thing you want to do.
Execute root commands via PHP
Without really knowing the complexity of the setup, I like the sudo route.
First, you must configure sudo to permit your webserver to sudo run the given command as root. Then, you need to have the script that the webserver shell_exec's(testscript) run the command with sudo.
For A Debian box with Apache and sudo:
Configure sudo:
As root, run the following to edit a new/dedicated configuration file for sudo:
visudo -f /etc/sudoers.d/Webserver
(or whatever you want to call your file in /etc/sudoers.d/)
Add the following to the file:
www-data ALL = (root) NOPASSWD: <executable_file_path>
where <executable_file_path> is the command that you need to be able to run as root with the full path in its name(say /bin/chown for the chown executable). If the executable will be run with the same arguments every time, you can add its arguments right after the executable file's name to further restrict its use.
For example, say we always want to copy the same file in the /root/ directory, we would write the following:
www-data ALL = (root) NOPASSWD: /bin/cp /root/test1 /root/test2
Modify the script(testscript):
Edit your script such that sudo appears before the command that requires root privileges(say sudo /bin/chown ... or sudo /bin/cp /root/test1 /root/test2). Make sure that the arguments specified in the sudo configuration file exactly match the arguments used with the executable in this file.
So, for our example above, we would have the following in the script:
sudo /bin/cp /root/test1 /root/test2
If you are still getting permission denied, the script file and it's parent directories' permissions may not allow the webserver to execute the script itself.
Thus, you need to move the script to a more appropriate directory and/or change the script and parent directory's permissions to allow execution by www-data(user or group), which is beyond the scope of this tutorial.
Keep in mind:
When configuring sudo, the objective is to permit the command in it's most restricted form. For example, instead of permitting the general use of the cp command, you only allow the cp command if the arguments are, say, /root/test1 /root/test2. This means that cp's arguments(and cp's functionality cannot be altered).
I was struggling with this exact issue for three days. I had set permissions on the script to 755. I had been calling my script as follows.
<?php
$outcome = shell_exec('/tmp/clearUp.sh');
echo $outcome;
?>
My script was as follows.
#!bin/bash
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
I was getting no output or feedback. The change I made to get the script to run was to add a cd to tmp inside the script:
#!bin/bash
cd /tmp;
find . -maxdepth 1 -name "search*.csv" -mmin +0 -exec rm {} \;
This was more by luck than judgement but it is now working perfectly. I hope this helps.
It's a simple problem. When you are running from terminal, you are running the php file from terminal as a privileged user. When you go to the php from your web browser, the php script is being run as the web server user which does not have permissions to execute files in your home directory. In Ubuntu, the www-data user is the apache web server user. If you're on ubuntu you would have to do the following:
chown yourusername:www-data /home/testuser/testscript
chmod g+x /home/testuser/testscript
what the above does is transfers user ownership of the file to you, and gives the webserver group ownership of it. the next command gives the group executable permission to the file. Now the next time you go ahead and do it from the browser, it should work.
I've made a simple bash script for server admininstration and I cannot figure how can I run it in safely inside a php page: I'd like to create a php admininstration page but I obviously don't want to hard-code root password anyware. Let's make an example (this is a foo script, of course)
#!/bin/bash
touch /$1
this simple/stupid script will not work if the user who run it as no writing permission on /.
Actually the script add apache virtualhosts, ftp users and so on...
any ideas?
thanks
Use
sudo /path/to/executable/file
and set up sudo so it can execute the following command for the current user as a root.
http://www.sudo.ws/sudo/sudoers.man.html - here is the sudoers manual, the configuration file, that you have to modify.
zerkms ALL = (ALL) NOPASSWD: /sbin/iptables -L FORWARD -n -v -x
This is example from my /etc/sudoers. Here I allowed to run command /sbin/iptables -L FORWARD -n -v -x as root without asking a password for user zerkms.