I'm setting up a new server and of course I didn't document every change I did to the last one but I'm getting there.
I have a weird issue, I'm trying to do a simple call in php:
exec('service httpd reload');
And it's not doing anything. I can execute other commands such as tar, I did check php.ini for disabled_functions and it's empty. The username php is using for creating files/folders is "apache" as well.
Does anyone know any other areas I can check? This is a fresh install of php 5.2.x so I'm sure there is a security setting in apache or something blocking this.
Well your apache is most probably running under a normal user account (www-data or apache - it depends on your distribution), but to restart apache (or any other service) you have to be root.
You could use sudo to elevate your privileges.
You can't restart Apache as a normal user, but you should never leave your root password written in a file. If you really have to run that command from php, there's an alternative method.
You can allow certain commands to be run as root by a certain user without specifying a password. To do this you must edit the /etc/sudoers file with visudo and add the tag NOPASSWD to the command you want to run. Here is the example from the man page:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
This would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without authenticating himself.
Related
I created multiple vhost and needed to reload the apache to make the vhost available, however shell_exec('service apache2 reload') didn't seem to work inside the container.
From my understanding is php-apache (link) container runs under www-data user therefore it doesn't have permission to trigger the sudo command. So is there anyway to shell_exec a sudo command.
FYI guys, this question is regarding to docker container environment not a normal Linux. Basically I can do all these commands under normal apache in the host machine, however I want to experiment it in docker container. Ultimately, I would try all the other sudo commands such as a2ensite, a2dissite, etc...
Any thought? Thanks.
This is very highly discouraged, regarding security.
If you know what you are doing, usage in a locale private network, filtering user data, you can add php, or a full user as root to the sudoers file with the tool visudo.
sudo visudo
This way php won't ask for passwords at all.
Your scripts needs then to be called with sudo, so it can contain shell_exec sudo commands
sudo ./script.php
Adding a full user is also more than highly insecured, but from my view it is also very good for dev/hack and learning. It's good to know how this works and play around , to later focus on security.
It permit to create scratch system applications with powerful powers and their web interface.
In the sudoers file, add:
www-data ALL=(ALL) NOPASSWD: DNSRELOAD
This is highly used in private research environment.
See the sudoers manual: https://www.sudo.ws/man/sudoers.man.html
A very similar question: https://unix.stackexchange.com/questions/110931/using-sudoers-to-allow-php-to-run-command
No, you can't to this directly, if your script is running under Apache. Your script hasn't enough rights to make such a command.
Anyway, I think that it's a very dangerous idea to give to your script the rights to use sudo, through Apache.
But, you can let an information in your database or a server's file. And then, let a script to reload Apache via a superuser's crontab, by example, if the information is found.
Example code :
<?php
if ($something_append) {
// let an information in the server.
touch('/srv/have_to_reload_apache') ;
}
?>
The superuser's cron : (could be a sh script or whatever)
sudo crontab -e
write :
*/5 * * * * php /path/to/sudo_script.php
This will run the script every 5 minutes.
The script could be :
<?php
if (file_exists('/srv/have_to_reload_apache')) {
shell_exec('service apache2 reload'); // Reload apache
unlink('/srv/have_to_reload_apache'); // Remove information
}
?>
I have a couple of bash scripts on a Centos box which I use to do basic server admin stuff like restart services, etc. I run these as a standard user who is also the scripts' owner.
I tried to run these using shell_exec() in PHP, with the apache user, but it simply doesn't work - I'm guessing it doesn't have enough permissions (even with 775 and being in the correct group!) to run everything I want it to.
I've tried editing the sudoers file giving apache permission to run the script calls but it still doesn't work and has no error messages that I can see.
Any thoughts? How can one trigger a script from a web page which requires a different user to run?
check under which user is running apache ( for debian it is www-data)
add www-data in sudoers list with permission to execute files that you like
check which shell has www-data user in /etc/passwd (you will need to give valid shell)
run script with /bin/bash -x (it will output for sure)
Make sure safe mode is off. Also verify the user is the one you expect:
<?php echo exec('whoami'); ?>
Update: turns out the problem is more complicated than I originally thought. I was simultaneously trying to troubleshoot why my mkdir stopped working and it was because I had manually changed permissions of the parent directory to test then switched them back and added a chmod to the script which doesn't work since that one is being run by apache and not myself. I'll be posting a new question with the larger problem as I think adding all of this into this one will become confusing.
I'm a lab instructor at my university and I've been rewriting the script they provide for uploading assignments because the one they have is old and buggy. Instead of modifying the existing script (written in python) I've been writing it from scratch in php.
I've come across an issue where it seems that chown is not working. The php scripts run under the user apache. I'm not sure if that user is 'priveleged' or not but the original script used chown.
Can I assume that therefore apache should have the needed authority and that my issue lies elsewhere or is that faulty logic?
The server is the university's and there is no way they will let me make any configuration changes. I do believe that it is CentOS that they're running. There is no error message i just noticed that I can chmod the file and change the permissions but that the chown command on the next line seems to have no effect.
ls -al on the old scripts show:
-rwxr-xr-x 1 mattw labstaff 5067 Sep 1 17:52 File_Upload.cgi
Doesn't look like the setuid bit is on.
Stefan mentioned "The user apache most likely doesn't have enough permissions to chown a file/folder it does not own". The directory I'm attempting to chown was just created with a mkdir so it should be owned by apache. Should chown work regardless of privilege when you already own the file?
Apache probably doesn't have the privileges to do so. It depends on which environment it's running in. You said apache is running under the user apache, so I'm just going to assume that it's RHEL or a RHEL variant such as Centos.
You would be able to edit the sudoers file (with visudo) and give apache the ability to sudo without a password under a certain directory. Be aware that this isn't recommended if you're very security conscious.
Adding something like
apache ALL = NOPASSWD: /bin/chown 1[1-9][0-9][0-9]\:1[1-9][0-9][0-9] /var/www/[a-zA-Z0-9]*
You may be able to add apache to a different group, or another user to the apache group or something of the sort and chmodding it to 0775 or 0664 instead.
It would be best to post the code that's throwing the error, the error message if any, and which users and groups need access to the files being uploaded.
If the old script is run by the apache user but is able to execute chown it may have the setuid bit on to allow it to run with elevated privileges. In that case your assumption would be wrong.
Please post the output of ls -al /path/to/script to confirm this. It should show root as its owner and a s in its mode.
To enable setuid mode for the new script, chmod u+s it. Do note this may have serious security implications. In particular never leave a setuid script or binary writeable.
The user apache most likely doesn't have enough permissions to chown a file/folder it does not own, you can give apache more rights however this could become a security concern.
I need to change the user of a PHP script at runtime. I've looked at posix_setuid, but it looks unsecure and requires root privaledges. What would be preferable is changing the user id of the script with the users password (something like posix_setuid($username, $password)), and avoiding running the script as root.
I'm open to other methods, and the script doesn't necessarily need to be PHP. However, it is going to be called from apache.
A good anology to the scenario would be how cPanel su's to the currently logged in user on it's file manager.
I need to change the user because I'm creating a file manager for a multi-user setup. Currently, I have the file manager set up so that apache serves my PHP file manager as root. However, this is not reasonable, because in case of a security bug in the code, one user can edit files on the entire server.
I'm looking for a way to SU the script to the logged in user so that in case of a security flaw, the user is only restricted to their own files.
I needed to do this a while ago. I basically created a bash script which accessed resources that only root had access to. Here's what I did:
Use the visudo command to change your /etc/sudoers:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
apache ALL= NOPASSWD: /sbin/myscript.sh
I have added the line which allows the apache user to run /sbin/myscript.sh with the sudo command without entering the password.
After that, you can just put the following in your php file to get the output:
$output = shell_exec("sudo /sbin/myscript.sh");
This recent question discusses two options for doing this with PHP:
PHP + FastCGI with suexec
suPHP
Has anyone ever used PHP (proven and successful) to CHMOD a directory through a Web Browser?
My roadblocks are:
(a) PHP script runs as "nobody" from the browser
(b) directory above the one I want to CHMOD is owned by the ftp user and "nobody" does not have write permissions to it
So when I try to chmod 0666 /usr/www/dirOwnedbyFTPuser/dirIamTryingToCHMOD/ I get Permission denied
If you have ever written and successfully run a script to do this, can you share the snipit of code with me? Thanks...been at this for months.
Yes it is possible to do this via php. Usual linux permissions rules apply however so as you are looking to chmod scripts not owned by the apache user (nobody) and the apache user does not have write permissions then one method is to give apache permission to use sudo
Be warned - this is potentially a massive security hole!!!
You can give apache permission to use sudo by editing the sudoers file. It is recommended that you do not edit this file directly as an error can leave you completely screwed so on my (Ubuntu) system I type
sudo visudo
Then you need to add a line for your "nobody" user. You can restrict sudo permissions to a particular script or folder so i would recommend writing a shell script to change the permissions and then placing this in a folder away from any other scripts. That way apache doesn't have complete root privileges on your system (which is a pretty scary thought). You can also put some code in the shell script to restrict which files can be changed.
You also need to allow apache to sudo without a password as you have no way of entering the password through php. So the line you would add is something like
nobody ALL=(ALL)NOPASSWD:/path/to/my/script
Then in php you just prefix the command with sudo
passthru ("sudo /path/to/my/script ...");
(there are a few other functions you can use instead of passthru(), was just the first that came to mind)
As I said before, this is potentially very dangerous and whilst the above will work, I have only used it on my own private system before, never on a public production server. I'm sure plenty of people will have comments on the security of this so I would be interested to hear what other potential pitfalls and security holes there could be with this method. I know a similar thing can be done using SuExec but am not so familiar with it so if anyone has any pros or cons of SuExec over this method I would be interested to hear them.
Final note: I would change the apache user from nobody to something like 'apache' or 'www' - probably just being silly but I don't like the idea of giving root permissions to a user called nobody!!!
Hope this helps!
Yes, you can chmod from php via a web browser. (yes we all know it can be a bad idea)..
But - you can only chmod files that the php script has permission to use! if your web server runs PHP as nobody, then you can chmod any files owned by "nobody"...
http://www.php.net/ftp
You could have php log in as the ftp user and do it.