how to let the php/apache have the privileges to execute all the root shell commands
 

it seem like the font is larger than what i thought it would be. sorry and hope that doesn't annoy you.

Suggest : hit the edit button and change the text.

Big shouting text will often be ignored = no answers.

how to execute root based shell commands using PHP
 

hi. i am trying to use sudo to execute openssl commands in php program. the commands doesn’t respond. while the same commands work well in the terminal. the command is as follow.
exec(”openssl req -config /etc/pki_jungle/myCA/openssl.my.cnf -new -keyout /etc/pki_jungle/myCA/private/server.key -nodes -out /etc/pki_jungle/myCA/server.csr -days 365″);
the configuration file openssl.my.cnf is modified so that the creation of the signing request is batched and no further input is needed. what is the problem?

notice that i have used the absolute pathes
:cry:

Always include the error message text instead of talking about it and the actual command you are trying to run. Way more efficient. Also please fix your profile to include the dstribution and release you run or post it here if it isn't your main distribution.


If you take for example Apache you will notice it is started from the root user account but the webserver runs its (public-facing) children as a lesser-privileged user to avoid security problems (the less privileges the better). If (a process run by) one of those children has no access rights an error occurs. When enabled, SE Linux acts on top of those rights. In the default targeted policy SE Linux gives the webserver only access to certain parts of the filesystem. That is a Good Thing. Some commands are not meant to be run by lesser or unprivileged users because they are potentially destructive (reboot, fdisk, dd, you name it) or can disclose privileged information (network packet capture in promiscuous mode, catting /etc/shadow). Since you're new to GNU/Linux and PHP you should take extra precautions to avoid errors by exposing functionality users could abuse. Please read some coding standards and PHP security documents. If you for instance would like Apache access to output of say '/bin/ps axf' from a root account perspective you could use Sudo and add a command alias and a NOPASSWD entry for the user (see 'man sudoers').

Since you're new to GNU/Linux this all might be a bit too much. Getting acquainted with operating GNU/Linux in general (your distro's docs, Rute, etc), reading documents and (then) asking more informed questions would be a good course of action.


Don't apologise for that.
You have a question and you came to the right place.
Just please don't muck with fonts again.

i am working with fedora 8, i am not sure of the version of the php and the apache server (i think it is version 2). the application that i am trying to make is a small certification authority. in this design the computer should not be connected to other devices. only one device is connected to this computer via the database. the firewall should stop all the other connections.
the php commands doesn't support the CRL so i decided to use the shell script via the php. i am using simple php file that should generate the certificate sign request. the file is as follow
the command produce no error in the browser and no output file is produced as it should be. the command work well in the terminal. i read something about sudo, but i couldn't find the apache user in the sudoer file. i tried something like (after making the root stop asking about the password)
but still no output. i have disabled the SE linux using setenforce 0 and from the graphical user interface from the menu. but still nothing happens, i forgot to say that trying to execute the file in the browser (before disabling it) cause the SE linux to show error messages that i couldn't understand. (something like the SE linux is preventing the httpd user from .....). after disabling the SE linux, there is still no output, and the error messages stoped to show.
the configuration file openssl.my.cnf is modified so that the creation of the signing request is batched and no further input is needed.
notice that i have used the absolute pathes in the command

ok. how to merge it. please delete this thread and i will continue in the other one. i am so so sorry for the inconvience.

You can ask this forums moderators to merge your threads using the "Report" button on your original post. No need now as I already asked.


On LQ moderators take care not to delete threads unless really necessary (spam, mostly).


No problem, it's just that actually reading and understanding the LQ Rules before posting might have prevented this...

when i execute the "whoami" via the php. i get the result is apache. and when i use this value in the sudoer file, nothing happen. please suggest me some thing

Creating your own a CA is a one-off root should do in person. It isn't something that I can find valid reasons for doing it through that kind of pass-through way but you probably know better. If something doesn't show errors in your browser you can always check the webserver logs or create your own error log. (And since you only posted one command of the whole CA setup I don't even know if you're in the right directory, performed the right steps leading up to this, et cetera.) While you've set up OpenSSL for batch requests I think it still requires user input on stdin when the CA passphrase is created and needed when signing the certificate. The Apache user by default isn't in the /etc/sudoers. You have to configure it yourself.

Since creating a CA and CRL is a one-off, instead of doing everything through PHP, maybe look into an 'expect' script or a shell 'here document' script driving creation?

Two related threads have been merged.

first,you need to know which user apache is running.(you can know that by viewing the apache configuration file(httpd.conf),for me it is apache user.
second,you need to add root priviliges to that user:
using visudo and add this line(you are root):

apache ALL=NOPASSWD: ALL

then you create a php page to test it:
<?php
exec("/usr/bin/sudo /sbin/shutdown -r now 2>&1");
?>
if you are using fedora or centos you need to comment out this line using visudo:

#Default requiretty

good luck to you!

hi linux newbie. thanks you very much for your note. i was doing all the above procedure except commenting the line
#Default requiretty
before commenting the line, the php commands doesn't work when iam using sudo. for example the following command in the php

i haven't seen the effects on the openssl commands yet, because i am working in another PC that doesn't contain my openssl files. but it seem like it will succeed. i will see the effects later and tell you. but can you tell me what that commented line mean? and its effects.
thanks again for your help

another question. someone told me that there is some settings called the htaccess. and said that it is more secure than sudo. what is htaccess. and is it more secure. and how can i use it?

Under no condition, no matter how good the firewall is, should you be allowing apache to use sudo, nor should you ever be running apache as root.

What you're doing is equivalent to posting your root password on a web page.