I have a file that is a bash script that requires SUDO to work.
I can run it from the command line using SUDO but I will be prompted to put in the SUDO password.
I want to run this script from php via shell_exec but I if I call SUDO, its not like a command line where I can be prompted for the password. Is there a way to pass the password for sudo with the sudo call?
How can I do this?
Edit the sudoers file (with visudo) and add a rule that allows the web server user to run the command without a password. For example:
www-data ALL=NOPASSWD: /path/to/script
There are various solutions for this problem.
First of all, consider changing the script permissions, if reason why you want sudo is simply a permission issue (see the comment I added to the question above).
Another approach would be using the setuid bit. [Edit: Looks like setuid does not work well with scripts. For explananations, see this link.]
A third, but very insecure method is to read the password from a password file. Warning: This is very insecure, if there's any other possibility, don't do it. And if you do it, try hiding the password file somewhere in your folder hierarchy.
<?php
shell_exec('sudo -u root -S bash script.sh < /home/[user]/passwordfile');
?>
And a fourth possibility is to use the NOPASSWD tag in the sudoers file. You should limit this power to the specific commands you need.
You can add something like this to your sudoers file:
username ALL=NOPASSWD: /path/to/script
This will allow that particular user to call sudo on that particular script without being prompted for a password.
The best secure method is to use the crontab. ie Save all your commands in a database say, mysql table and create a cronjob to read these mysql entreis and execute via shell_exec(). Please read this link for more detailed information.
* * * * * killProcess.php
Related
I have a PHP script that when i press delete all button it will delete all the specific users cron.
I am trying to make it delete all the roots cron jobs but it wont work. Any idea?
I have access to the whole system including roots. I have http user and root.
PHP code:
if (isset($_POST['saveadconfig']))
{
shell_exec("sudo crontab -r -u root");
}
I tried without sudo but i added sudo and still nothing. There is loads more code but i made it simple to read. Thanks!
P.S: It goes into the if statement perfectly its just it wont run the command to remove root crons properly.
I also have
http ALL=(ALL) ALL
in my /etc/sudoers file. http is the php user.
Issue was me not providing the full paths to the commands while using sudo!
Another issue was i need to provide a password so i bypassed that with:
NOPASSWD: /usr/bin/crontab in sudoers file.
End result with PHP:
/usr/bin/sudo /usr/bin/crontab command
I have a php script that calls a python script which in turn is in charge of writing some files to disk.
If I execute the php script by entering its url in the web browser it can perform several filesystem related tasks:
it's able to create a dir
it's able to chmod the dir
but it's not able to execute the python script which would create and write other files.
The strange thing is that if I run the python script manually as www-data:
user#host $ sudo su www-data
passwd for sudo:
$ whoami
www-data
$ python my_script.py
It works like a charm.
I'm assuming the user when I run the script through the browser is www-data. So why is the result in the console any different?
SOLVED:
Python script starts off by importing some modules from my repository, which are appended to the path via .bashrc or .bash_profile on login consoles. These modules were not available from the browser to the user www-data. So adding this to the python script solved it:
import sys
sys.path.insert(0, 'path_to_my_modules')
solved it.
I apologize for the question. It didn't bring all the necessary information for users to lead to a solution. I guess the problem was so broad that it was difficult for me to start thinking of where its root was.
I lacked a good debugging technique to see what the error was. I commented out all the python script and begun with a simple print 'here'. Uncommenting lines one by one showed me the place where it just didn't print anything anymore (the error was obvious then).
First of all, don't assume that the user is www-data. You should get the output from whoami running from the PHP script to see if it is www-data. Also, you need to make sure your script has +x or execute permissions for the user.
You should read about execute permissions.
You need to use chown on your PHP script to change the ownership to the www-data user:
sudo chown www-data:www-data yourscript.php
Then you need to give the user execute permissions:
sudo chmod u+x yourscript.php
I have a couple of bash scripts on a Centos box which I use to do basic server admin stuff like restart services, etc. I run these as a standard user who is also the scripts' owner.
I tried to run these using shell_exec() in PHP, with the apache user, but it simply doesn't work - I'm guessing it doesn't have enough permissions (even with 775 and being in the correct group!) to run everything I want it to.
I've tried editing the sudoers file giving apache permission to run the script calls but it still doesn't work and has no error messages that I can see.
Any thoughts? How can one trigger a script from a web page which requires a different user to run?
check under which user is running apache ( for debian it is www-data)
add www-data in sudoers list with permission to execute files that you like
check which shell has www-data user in /etc/passwd (you will need to give valid shell)
run script with /bin/bash -x (it will output for sure)
Make sure safe mode is off. Also verify the user is the one you expect:
<?php echo exec('whoami'); ?>
How can PHP be used to create a number of commands in the terminal? For example, if I want to change the permissions on a folder or a file, I might run
Sudo Chmod 777 FileName
from the command line. How could I do this with PHP?
Look at exec, system etc: http://www.php.net/manual/en/book.exec.php
Obviously, if you are going to use sudo for root access stuff (not recommended) then you would need to either supply a password somehow or set the user which PHP is running as to not require a password.
It may be better to use an SSH call for this and supply the command to execute via that command.
To sum up, I really don't recommend using PHP (or any language for that matter) to run a series of commands which then uses sudo
To give permission to folder or file in php use following line of code
chmod($file,0777);
this will change the permission of file or folder.
Given a script test.php that has the contents:
#!/usr/bin/php
<?php
echo exec('whoami');
chmod('test.txt', 0755);
and a plain text file test.txt in the same directory as itself, it works fine if the user who created those files runs the script. However, if I do something along the lines of:
chown apache:apache test.php test.txt
chmod 4775 test.php
That gives the test.php the ability to run as the 'apache' user, no matter who's running it. But when I run it in that context, I get a "Warning: chmod(): Operation not permitted" error. And the user that gets echoed by the "whoami" command is the generic user, not the 'apache' user.
So, is there a way to allow a PHP script to run as a particular user, other than granting users sudo access to run the script as 'apache'?
So, is there a way to allow a PHP script to run as a particular user, other than granting users sudo access to run the script as 'apache'?
You must be missing something. Either you allow apache to execute the file under a different user (sudo/suexec) or not. However, this is merely configuration. So you should first decide what you want to achieve and then configure the server as needed.
So if you want to run the PHP script under a particular user, you do this with making use of the sudo functionality and specifying the user. Apache will then execute the script under that configured user.
If you do not like to make use of sudo then, well, then there is no other option then to run the script under the user that runs apache or apache has been configured to use for invoking the scripts.
So make your decision what you want to achieve. But if you want to change the user, the only way I'm aware of (probably there's something else as well but I doubt it) is making use of the apache sudo feature(s).