how to let the php/apache have the privileges to execute all the root shell commands
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
how to let the php/apache have the privileges to execute all the root shell commands
hi
i am new to linux
i am working with php and iam trying to execute some commands using the PHP's (exec) command. but the commands didn't work. some simple commands like exec("echo 'test' > /tmp/test.txt"); work successfully while the other doesn't (root based commands). it seem like it has something to do with the SElinux becuase a problem message pop up when iam trying to execute this commands.
is the problem with the php or the appache server. and how to make them have the privileges to execute this commands?
sorry the answer may be simple but i am new to linux and php. sorry again for taking from your valuable time.
how to execute root based shell commands using PHP
hi. i am trying to use sudo to execute openssl commands in php program. the commands doesn’t respond. while the same commands work well in the terminal. the command is as follow.
exec(”openssl req -config /etc/pki_jungle/myCA/openssl.my.cnf -new -keyout /etc/pki_jungle/myCA/private/server.key -nodes -out /etc/pki_jungle/myCA/server.csr -days 365″);
the configuration file openssl.my.cnf is modified so that the creation of the signing request is batched and no further input is needed. what is the problem?
it seem like it has something to do with the SElinux becuase a problem message pop up when iam trying to execute this commands.
Always include the error message text instead of talking about it and the actual command you are trying to run. Way more efficient. Also please fix your profile to include the dstribution and release you run or post it here if it isn't your main distribution.
Quote:
Originally Posted by another 1
is the problem with the php or the appache server. and how to make them have the privileges to execute this commands? sorry the answer may be simple but i am new to linux and php.
If you take for example Apache you will notice it is started from the root user account but the webserver runs its (public-facing) children as a lesser-privileged user to avoid security problems (the less privileges the better). If (a process run by) one of those children has no access rights an error occurs. When enabled, SE Linux acts on top of those rights. In the default targeted policy SE Linux gives the webserver only access to certain parts of the filesystem. That is a Good Thing. Some commands are not meant to be run by lesser or unprivileged users because they are potentially destructive (reboot, fdisk, dd, you name it) or can disclose privileged information (network packet capture in promiscuous mode, catting /etc/shadow). Since you're new to GNU/Linux and PHP you should take extra precautions to avoid errors by exposing functionality users could abuse. Please read some coding standards and PHP security documents. If you for instance would like Apache access to output of say '/bin/ps axf' from a root account perspective you could use Sudo and add a command alias and a NOPASSWD entry for the user (see 'man sudoers').
Since you're new to GNU/Linux this all might be a bit too much. Getting acquainted with operating GNU/Linux in general (your distro's docs, Rute, etc), reading documents and (then) asking more informed questions would be a good course of action.
Quote:
Originally Posted by another 1
sorry again for taking from your valuable time.
Don't apologise for that.
You have a question and you came to the right place.
Just please don't muck with fonts again.
i am working with fedora 8, i am not sure of the version of the php and the apache server (i think it is version 2). the application that i am trying to make is a small certification authority. in this design the computer should not be connected to other devices. only one device is connected to this computer via the database. the firewall should stop all the other connections.
the php commands doesn't support the CRL so i decided to use the shell script via the php. i am using simple php file that should generate the certificate sign request. the file is as follow
the command produce no error in the browser and no output file is produced as it should be. the command work well in the terminal. i read something about sudo, but i couldn't find the apache user in the sudoer file. i tried something like (after making the root stop asking about the password)
but still no output. i have disabled the SE linux using setenforce 0 and from the graphical user interface from the menu. but still nothing happens, i forgot to say that trying to execute the file in the browser (before disabling it) cause the SE linux to show error messages that i couldn't understand. (something like the SE linux is preventing the httpd user from .....). after disabling the SE linux, there is still no output, and the error messages stoped to show.
the configuration file openssl.my.cnf is modified so that the creation of the signing request is batched and no further input is needed.
notice that i have used the absolute pathes in the command
when i execute the "whoami" via the php. i get the result is apache. and when i use this value in the sudoer file, nothing happen. please suggest me some thing
the command produce no error in the browser and no output file is produced as it should be. the command work well in the terminal. i read something about sudo, but i couldn't find the apache user in the sudoer file. i tried something like (after making the root stop asking about the password)
Creating your own a CA is a one-off root should do in person. It isn't something that I can find valid reasons for doing it through that kind of pass-through way but you probably know better. If something doesn't show errors in your browser you can always check the webserver logs or create your own error log. (And since you only posted one command of the whole CA setup I don't even know if you're in the right directory, performed the right steps leading up to this, et cetera.) While you've set up OpenSSL for batch requests I think it still requires user input on stdin when the CA passphrase is created and needed when signing the certificate. The Apache user by default isn't in the /etc/sudoers. You have to configure it yourself.
Since creating a CA and CRL is a one-off, instead of doing everything through PHP, maybe look into an 'expect' script or a shell 'here document' script driving creation?
first,you need to know which user apache is running.(you can know that by viewing the apache configuration file(httpd.conf),for me it is apache user.
second,you need to add root priviliges to that user:
using visudo and add this line(you are root):
apache ALL=NOPASSWD: ALL
then you create a php page to test it:
<?php
exec("/usr/bin/sudo /sbin/shutdown -r now 2>&1");
?>
if you are using fedora or centos you need to comment out this line using visudo:
hi linux newbie. thanks you very much for your note. i was doing all the above procedure except commenting the line
#Default requiretty
before commenting the line, the php commands doesn't work when iam using sudo. for example the following command in the php
Quote:
<?php
$a = exec("whoami");
echo $a;
?>
produces the output apache on the screen while
$a = exec("sudo whoami");
produces no output. i.e. using sudo make the php script stop working.
i haven't seen the effects on the openssl commands yet, because i am working in another PC that doesn't contain my openssl files. but it seem like it will succeed. i will see the effects later and tell you. but can you tell me what that commented line mean? and its effects.
thanks again for your help
another question. someone told me that there is some settings called the htaccess. and said that it is more secure than sudo. what is htaccess. and is it more secure. and how can i use it?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.