Dear Stackoverflow'er:
I am currently trying to run my script over PHP-CLI. I want to create a file over:
fopen($filename, "w+")
If I run this over this over the webbrowser, the script will be able to create the file, since the folder is owned by 'www-data'.
But if I try to run it over CLI it doesn't work, since PHP has not the same user, so I added www-data into /etc/sudoers with NOPASSWD.
I tried then to run:
sudo -u www-data php ./content.php
But it still doesn't work, do you have maybe a suggestion?
Best,
djcrackhome
Related
I am running Ubuntu 16.04 and I am programming in PHP. Here is my problem:
I have a need to use the wget linux command to download all files from a website. So I am using PHP's shell_exec() function to execute the command:
$wgetCommand = "wget --recursive --page-requisites --convert-links $url 2>&1";
$wgetCommandOutput = shell_exec($wgetCommand);
This command downloads all files and folders from a website, recursively, to the current working directory (unless otherwise specified). The problem is that when these files and folders are downloaded, I do not have permissions to read them programmatically after that.
But if I do something like sudo chmod 777 -R path/to/downloaded/website/directory after they are downloaded with the wget command and before they are read programmatically, they are read just fine and everything works.
So I need a way to download folders and files from a website using wget command and they should have read permissions for all users, not just sudo.
How can I achieve that?
This sounds like a umask issue with the user running the PHP script.
Normally, Ubuntu would have a default umask of 0002. This would create a file with (-rw-rw-r--).
From the console you can check and set the umask for the PHP user via:
$umask
And inside the PHP script, do a
<?php
umask()
If you are on a running webserver, it would, however be better to alter the files permissions of the downloaded files afterwards, via
<?php
chmod()
The reason is, that the umask handles file creation for all files - not just your script.
I want to start a Python script from inside PHP code but i can't get the script to run with sudo rights. I'm running a LAMP installation with PHP 7.1 and the script needs to download and create temporary files.
I have tried putting the script in sudoers like this www-data ALL=(root) NOPASSWD: /var/www/html/smuggler/process-data.py and with some other variation of this i found online, but it didn't work. I also tried to set the rights to the python file itself using chmod but that didn't work either.
Everything i found online didn't work.
The only way it works is when i run it from the terminal as sudo.
I'd appreciate if someone could help me. Thanks.
I want PHP to be able to create a folder in a folder where it does not have access. The created folder should in the end be owned by the user virtual and the group virtual.
I have tried added the following to visudo.
virtual ALL=(ALL) NOPASSWD: /var/mail/virtual
_www ALL=(ALL) NOPASSWD: /var/mail/virtual
With that I try the following command from php with exec();
sudo -u virtual mkdir /var/mail/virtual/test.com
The command works when executed through a terminal, but not when called through php.
Anyone able to tell me where i went wrong?
The server is running Ubuntu 14.04 LTS
I made it work, somehow.
Changed the visudo to
www-data ALL=(ALL) NOPASWD: /var/mail/virtual, /var/mail/virtual/dir.sh
Placed the script dir.sh in the folder and changed the command in the PHP part to
sudo /var/mail/virtual/dir.sh $dir
There are a number of things going wrong here.
Entries in /etc/sudoers specify commands that can be run, not directories that can be accessed.
There is generally no _www user on Ubuntu systems. That username is an artifact of Mac OS X.
The first user in the command line is the user that is being allowed to invoke sudo, not the user that they can run the command as.
A more appropriate solution here would be:
www-data ALL = (virtual) mkdir /var/mail/virtual/*
There are still some subtle vulnerabilities in this command specification (it's possible to escape /var/mail/virtual and create directories in other locations where virtual has permissions), but it's much more secure than what you've come up with.
I've been at this for two days now and haven't been able to find any way (good or bad) of doing that to work.
I have to be able of dynamically mounting drives over network from my website's pages (that part is inevitable).
I have no problems doing it directly on the console with the following command
mount -t cifs //IP-REMOTE-MACHINE/Folder -o username=username,password=password /mnt/share
Obviously trying to just do a shell_exec() of this command wouldn't work with no root rights.
I tried to shell_exec() a script in which I would switch to root user (via su or sudo mycommand) but both of them wouldn't work (never been able to succeed in doing a script who would automatically switch my user to root even with the root pwd hard coded (even if that feels an extremely bad idea I could have accepted that atm).
After that I tried to use pmountbut never found a way to access to a remote shared file (don't think it's even possible but I may have missed something here?)
All that is running on a Debian machine with apache2.
I have a wild idea...
You could set a cron to run as root that checks for mount commands from your script. The script would simply set a mount command to be processed, and when the cron gets to it, runs the mount, marks the command as processed, and writes to a log file which you could then display.
It's not safe to run sudo commands with www-data (the user for web servers in Debian).
But if you want to run sudo [command] in a php script, you must add the user www-data in sudoers: http://www.pendrivelinux.com/how-to-add-a-user-to-the-sudoers-list/
And then you can exec: sudo mount ...
EDIT: It's safer to add in visudo:
www-data ALL= NOPASSWD: /bin/mount
To allow www-data to use only sudo /bin/mount
I need to execute a bash file from a php page, with exec() function. The problem is that in this bash file, there's the command "adduser" ... Witch is a sudo command. I had the idea of modifying the sudoers so the user that run the script would have access to it, but who is this user ? I know apache2 is executated with www-data user...
Thanks!
You can find out which user PHP is running as by using system to run the command 'whoami' and display the output.
system('whoami');
That seems like a rather bad plan, giving the www-user sudo access. But yes, its www-data (by default, depending on linux flavor) that apache runs under.