LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-20-2009, 03:53 PM   #1
another 1
Member
 
Registered: Nov 2008
Posts: 65

Rep: Reputation: 15
how to let the php/apache have the privileges to execute all the root shell commands


hi
i am new to linux
i am working with php and iam trying to execute some commands using the PHP's (exec) command. but the commands didn't work. some simple commands like exec("echo 'test' > /tmp/test.txt"); work successfully while the other doesn't (root based commands). it seem like it has something to do with the SElinux becuase a problem message pop up when iam trying to execute this commands.
is the problem with the php or the appache server. and how to make them have the privileges to execute this commands?
sorry the answer may be simple but i am new to linux and php. sorry again for taking from your valuable time.

Last edited by another 1; 03-21-2009 at 09:47 AM.
 
Old 03-20-2009, 03:55 PM   #2
another 1
Member
 
Registered: Nov 2008
Posts: 65

Original Poster
Rep: Reputation: 15
it seem like the font is larger than what i thought it would be. sorry and hope that doesn't annoy you.
 
Old 03-21-2009, 06:14 AM   #3
knudfl
LQ 5k Club
 
Registered: Jan 2008
Location: Copenhagen, DK
Distribution: pclos2014.08, Slack14.1 DebWheezy, +50+ other Linux OS, for test only.
Posts: 13,947

Rep: Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602
Suggest : hit the edit button and change the text.

Big shouting text will often be ignored = no answers.
 
Old 03-21-2009, 07:27 AM   #4
another 1
Member
 
Registered: Nov 2008
Posts: 65

Original Poster
Rep: Reputation: 15
Question how to execute root based shell commands using PHP

hi. i am trying to use sudo to execute openssl commands in php program. the commands doesn’t respond. while the same commands work well in the terminal. the command is as follow.
exec(”openssl req -config /etc/pki_jungle/myCA/openssl.my.cnf -new -keyout /etc/pki_jungle/myCA/private/server.key -nodes -out /etc/pki_jungle/myCA/server.csr -days 365″);
the configuration file openssl.my.cnf is modified so that the creation of the signing request is batched and no further input is needed. what is the problem?

notice that i have used the absolute pathes

 
Old 03-21-2009, 07:36 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Quote:
Originally Posted by another 1 View Post
it seem like it has something to do with the SElinux becuase a problem message pop up when iam trying to execute this commands.
Always include the error message text instead of talking about it and the actual command you are trying to run. Way more efficient. Also please fix your profile to include the dstribution and release you run or post it here if it isn't your main distribution.


Quote:
Originally Posted by another 1 View Post
is the problem with the php or the appache server. and how to make them have the privileges to execute this commands? sorry the answer may be simple but i am new to linux and php.
If you take for example Apache you will notice it is started from the root user account but the webserver runs its (public-facing) children as a lesser-privileged user to avoid security problems (the less privileges the better). If (a process run by) one of those children has no access rights an error occurs. When enabled, SE Linux acts on top of those rights. In the default targeted policy SE Linux gives the webserver only access to certain parts of the filesystem. That is a Good Thing. Some commands are not meant to be run by lesser or unprivileged users because they are potentially destructive (reboot, fdisk, dd, you name it) or can disclose privileged information (network packet capture in promiscuous mode, catting /etc/shadow). Since you're new to GNU/Linux and PHP you should take extra precautions to avoid errors by exposing functionality users could abuse. Please read some coding standards and PHP security documents. If you for instance would like Apache access to output of say '/bin/ps axf' from a root account perspective you could use Sudo and add a command alias and a NOPASSWD entry for the user (see 'man sudoers').

Since you're new to GNU/Linux this all might be a bit too much. Getting acquainted with operating GNU/Linux in general (your distro's docs, Rute, etc), reading documents and (then) asking more informed questions would be a good course of action.


Quote:
Originally Posted by another 1 View Post
sorry again for taking from your valuable time.
Don't apologise for that.
You have a question and you came to the right place.
Just please don't muck with fonts again.
 
Old 03-21-2009, 09:40 AM   #6
another 1
Member
 
Registered: Nov 2008
Posts: 65

Original Poster
Rep: Reputation: 15
i am working with fedora 8, i am not sure of the version of the php and the apache server (i think it is version 2). the application that i am trying to make is a small certification authority. in this design the computer should not be connected to other devices. only one device is connected to this computer via the database. the firewall should stop all the other connections.
the php commands doesn't support the CRL so i decided to use the shell script via the php. i am using simple php file that should generate the certificate sign request. the file is as follow
Quote:
<?php
exec(”openssl req -config /etc/pki_jungle/myCA/openssl.my.cnf -new -keyout /etc/pki_jungle/myCA/private/server.key -nodes -out /etc/pki_jungle/myCA/server.csr -days 365″);
?>
the command produce no error in the browser and no output file is produced as it should be. the command work well in the terminal. i read something about sudo, but i couldn't find the apache user in the sudoer file. i tried something like (after making the root stop asking about the password)
Quote:
exec(”sudo -u root openssl req -config /etc/pki_jungle/myCA/openssl.my.cnf -new -keyout /etc/pki_jungle/myCA/private/server.key -nodes -out /etc/pki_jungle/myCA/server.csr -days 365″);
but still no output. i have disabled the SE linux using setenforce 0 and from the graphical user interface from the menu. but still nothing happens, i forgot to say that trying to execute the file in the browser (before disabling it) cause the SE linux to show error messages that i couldn't understand. (something like the SE linux is preventing the httpd user from .....). after disabling the SE linux, there is still no output, and the error messages stoped to show.
the configuration file openssl.my.cnf is modified so that the creation of the signing request is batched and no further input is needed.
notice that i have used the absolute pathes in the command
 
Old 03-21-2009, 09:41 AM   #7
another 1
Member
 
Registered: Nov 2008
Posts: 65

Original Poster
Rep: Reputation: 15
ok. how to merge it. please delete this thread and i will continue in the other one. i am so so sorry for the inconvience.
 
Old 03-21-2009, 11:18 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Quote:
Originally Posted by another 1 View Post
ok. how to merge it.
You can ask this forums moderators to merge your threads using the "Report" button on your original post. No need now as I already asked.


Quote:
Originally Posted by another 1 View Post
please delete this thread and i will continue in the other one.
On LQ moderators take care not to delete threads unless really necessary (spam, mostly).


Quote:
Originally Posted by another 1 View Post
i am so so sorry for the inconvience.
No problem, it's just that actually reading and understanding the LQ Rules before posting might have prevented this...
 
Old 03-21-2009, 02:25 PM   #9
another 1
Member
 
Registered: Nov 2008
Posts: 65

Original Poster
Rep: Reputation: 15
when i execute the "whoami" via the php. i get the result is apache. and when i use this value in the sudoer file, nothing happen. please suggest me some thing
 
Old 03-22-2009, 04:22 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Quote:
Originally Posted by another 1 View Post
the command produce no error in the browser and no output file is produced as it should be. the command work well in the terminal. i read something about sudo, but i couldn't find the apache user in the sudoer file. i tried something like (after making the root stop asking about the password)
Creating your own a CA is a one-off root should do in person. It isn't something that I can find valid reasons for doing it through that kind of pass-through way but you probably know better. If something doesn't show errors in your browser you can always check the webserver logs or create your own error log. (And since you only posted one command of the whole CA setup I don't even know if you're in the right directory, performed the right steps leading up to this, et cetera.) While you've set up OpenSSL for batch requests I think it still requires user input on stdin when the CA passphrase is created and needed when signing the certificate. The Apache user by default isn't in the /etc/sudoers. You have to configure it yourself.

Since creating a CA and CRL is a one-off, instead of doing everything through PHP, maybe look into an 'expect' script or a shell 'here document' script driving creation?
 
Old 03-22-2009, 12:12 PM   #11
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
Two related threads have been merged.
 
Old 03-23-2009, 03:56 AM   #12
linux_newbie2009
LQ Newbie
 
Registered: Mar 2009
Posts: 2

Rep: Reputation: 1
first,you need to know which user apache is running.(you can know that by viewing the apache configuration file(httpd.conf),for me it is apache user.
second,you need to add root priviliges to that user:
using visudo and add this line(you are root):

apache ALL=NOPASSWD: ALL

then you create a php page to test it:
<?php
exec("/usr/bin/sudo /sbin/shutdown -r now 2>&1");
?>
if you are using fedora or centos you need to comment out this line using visudo:

#Default requiretty

good luck to you!
 
Old 03-23-2009, 09:37 AM   #13
another 1
Member
 
Registered: Nov 2008
Posts: 65

Original Poster
Rep: Reputation: 15
hi linux newbie. thanks you very much for your note. i was doing all the above procedure except commenting the line
#Default requiretty
before commenting the line, the php commands doesn't work when iam using sudo. for example the following command in the php

Quote:
<?php
$a = exec("whoami");
echo $a;
?>
produces the output apache on the screen while
$a = exec("sudo whoami");
produces no output. i.e. using sudo make the php script stop working.
i haven't seen the effects on the openssl commands yet, because i am working in another PC that doesn't contain my openssl files. but it seem like it will succeed. i will see the effects later and tell you. but can you tell me what that commented line mean? and its effects.
thanks again for your help
 
Old 03-23-2009, 09:42 AM   #14
another 1
Member
 
Registered: Nov 2008
Posts: 65

Original Poster
Rep: Reputation: 15
another question. someone told me that there is some settings called the htaccess. and said that it is more secure than sudo. what is htaccess. and is it more secure. and how can i use it?
 
Old 03-23-2009, 09:42 AM   #15
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by another 1 View Post
i am new to linux
Under no condition, no matter how good the firewall is, should you be allowing apache to use sudo, nor should you ever be running apache as root.

What you're doing is equivalent to posting your root password on a web page.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Does SNMP commands needs roots privileges to execute ? gauthamk Linux - Software 1 08-25-2008 08:21 PM
Scripting commands which requiring root privileges... s2cuts Programming 3 03-03-2008 02:19 AM
user application execute commands with root privileges lbdgwgt Linux - Software 2 01-17-2007 07:51 AM
How to execute commands? How to view or check my root privileges? kensim00 Linux - Newbie 4 01-07-2007 11:19 PM
Shell won't execute commands.... frank320 Red Hat 6 03-17-2006 11:12 AM


All times are GMT -5. The time now is 08:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration