LinuxQuestions.org - Executing sudo command from PHP script

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Executing sudo command from PHP script (https://www.linuxquestions.org/questions/linux-newbie-8/executing-sudo-command-from-php-script-624123/)

Executing sudo command from PHP script

Hello Everyone,

i am stuck in a slightly complex problem where i have a control panel application developed in PHP (running on apache) and the actual frontend website is developed in Java running on tomcat on the same machine.

from the control panel, i upload a few images that are used in the website. the control panel pages are located at /var/www/html/appname whereas the tomcat application is present at /usr/local/apache/webapps/appname.

now the problem is that the images should be directly uploaded/somehow copied to /usr/local/apache/webapps/appname/images directory so that the website can access them. on windows machine it was not a problem. but on linux i always get the message Permission denied.

i have also tried to upload images to /var/www/html/appname/images/ first and then copy them to /usr/local/apache/webapps/appname/images/ directory by executing sudo from php script but it doesnt work. however, if i run the same command in linux shell, it works. the command is:

sudo cp /var/www/html/appname/images/image1.jpg /usr/local/apache/webapps/appname/images/image1.jpg

php is executed using the user apache, so i have added to following line in sudoers file

apache ALL=(ALL) NOPASSWD: ALL

but nothing seems to work. any help would be highly appreciated.

kind regards,
Bilal

What are the permissions on both directories, who owns which?
ls -l /var/www/html
ls -l usr/local/apache/webapps/appname

Maybe you could save yourself a lot of coding hassles if you
gave the right user (group?) ownership of both...

Cheers,
Tink

chmod 777 on both the directories. this is where all the confusion is. i did it for testing but even chmod 777 didnt work.

Quote:

Originally Posted by Tinkster (Post 3071970)

same problem any help??

hello there, I m also getting the same problem. I m trying to execute some linux system commands (like ps ) from my php. I tried using the sudo command and edited the sudoers file too. But still i am not able to execute those commands. Pls if some one has already solved this problem or know the solution pls do tell...

thanks in advance

regards
esh

I am having the same problem. the simple shell commands is executed via the php while the root based commands doesn't. using sudo didn't solve the problem. and even for the simple commands using sudo cause the command to stop working.

Quote:

for example
exec("echo 'test' > /tmp/test.txt");
work well while
exec("sudo echo 'test' > /tmp/test.txt");
doesn't

executing
exec("whoami");
in php result in (apache)
when i edit apache in sudo to execute all the commands nothing happens

Quote:

apache ALL=(ALL) NOPASSWD:ALL

what is the problem. all the forums say we need to use sudo, but no one say how?

another more thing. is that the sudo make the shell to stop working. for example i have the root and the khalid user. when configuring the httpd.cnf to work as khalid (user khalid & groub khalid). after giving the khalid user the full privileges. i write the following commands in the shell and in the php
in the shell whoami and the output is khalid (when i am using khalid)
in the shell sudo whoami and the output is root (when i am using khalid)
in the php page the command is exec("whoami")and the output is khalid
in the php page the command is exec("sudo whoami")and there is no output (strange isn't it?

Okay... First of all, sudo does NOT give root priviledges to redirection operators, such as > and >>. It will still redirect output, but remember that the file you pipe to must be writable without root priviledge.

Your real problem is most likely a little setting in your sudoers file that caused me a fair amout of grief. Do you have a line like this?

Code:

Defaults requiretty

Comment that out! It's a sneaky little bugger that prevents non-tty users (such as apache scripts) from using sudo at all. My sudoers file has this to say about the setting:

Code:

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.

#        You have to run "ssh -t hostname sudo <cmd>".

#

#Defaults    requiretty

Notice that I commented it out.

WARNING:
Be wary of allowing apache sudo access, ESPECIALLY if you plan on giving it access to everything, and EVEN MORE SO if you have multiple domains or you didn't write all of the server-side scripts yourself (assuming you're a good coder :). Giving apache sudo access is a disaster waiting to happen, as ANY rogue script will have total power over your server!!! Please use an alternate method.

My method was to only give apache NOPASSWD sudo access to premade bash scripts that only did one small function each, and only accepted one small argument. Hopefully nobody evil ever finds out what those sudo-able commands are, but if they do, the most they can do is rewrite some apache virtual host config files. A bad thing, but not the end of the world :). BUT if I allowed apache sudo access to everything, any rogue script that found out about it could TOTALLY root the server. As I share a dedicated host with people who buy their php apps from coders who don't understand security, I wouldn't sleep well at night if Apache had full sudo access.

Sorry for the length of the post. I found this in a google search and wanted to warn fellow googlers. I hope that helps :)

thank you very much MorderVomUbel. you know, that time i was asking about this, i was disparately searching for solution because i was running out of time, but right now, i am concerned much about improving the application. your post is very useful.

Concur with MorderVomUbel about security implications. Good advice!

Quote:

Originally Posted by bilal_linux (Post 3071146)

You cannot use "sudo" from a non-TTY. Think of another way to do what you need to do. "sudo" isn't what you want -- it is only for interactive sessions, or shell scripts launched directly from interactive sessions.

Dead thread resurrection time.

How would one assign a tty to a script or link via SSH or some such, to provide the capability to run commands as root?

the reason I ask is that I'm in the process of making a browser based terminal in AJAX.

found this in google just now

Quote:

or am I left with no other option than to add a script to the server crontab (for root) which runs constantly?

how would that happen and would you be so kind as to help me?

I'm on ubuntu karmic.

copyme: This is probably the wrong thread to ask how to allocate a psuedo-terminal, but maybe pts is what you need? As for ssh... FreeNX uses a local ssh loop to authenticate, I believe. Regarding ways to actually hook them into your AJAX shell, I'll admit that I have no more knowledge/experience in that area.

If your main concern is running sudo commands inside the AJAX shell, see my previous post and add a line in your sudoers:

apache ALL=(ALL) NOPASSWD: ALL

...or you can ask questions if you have trouble.

As the thread has been bumped, I may as well respond to the last comments...

another1: Glad I could help out.

chrism01: Thanks for the complement :)

lutusp: Unless you have a weird distro, sudo should work just fine if you follow what I showed in my previous post, as well as giving apache some NOPASSWD access.

everybody else: Happy linux admin'ing, and goodnight...