[SOLVED] PHP code nothing happens when htpasswd issued
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
Best is to use the exec() call and catch all output of exec() and print it out to examine.
My first guess is that your passwd file is not writable by the Apache process. This runs in www-data context, whil it is highly unlikely that www-data is allowed to write into /etc/squid/.
Either you make this file writable by www-data (which is a bad idea) or you find another location to put the passwd file.
Best is to use the exec() call and catch all output of exec() and print it out to examine.
My first guess is that your passwd file is not writable by the Apache process. This runs in www-data context, whil it is highly unlikely that www-data is allowed to write into /etc/squid/.
Either you make this file writable by www-data (which is a bad idea) or you find another location to put the passwd file.
jlinkels
But I'm running the script as root so shouldn't it action it anyway?
If I have to store the password file elsewhere, then it's going to have to be under the webserver data isn't it...somewhere in /var/www/ but not open to the web.
When I use exec with some catch ouput lines, nothing gets reported:
#htpasswd command add
error_reporting(E_ALL);
$output = exec("su /usr/bin/htpasswd -b /etc/squid/squid_passwd ".$row[0]." ".$row[1]);
fwrite(STDOUT,$output);
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
If you are running PHP as root, PHP does not run as Apache. Why do you think PHP runs as Apache? Are you calling your script from the command line, or from a web page?
If you are running PHP as root, PHP does not run as Apache. Why do you think PHP runs as Apache? Are you calling your script from the command line, or from a web page?
God I hate programming sometimes.
print_r gave me the clue though so thanks.
The problem was the code was never netering the add password section due to this
Code:
#if enabled =1 then add the user
if ($row == 1 )
{
#htpasswd command add
system("htpasswd -b /etc/squid/squid_passwd ".$row[0]." ".$row[1]);
}
$row!!!!!
Should have been $row[2]
The htpasswd command is still verbose though, any ideas how to turn that off?
keeps listing the help file
A potential security risk I see with this code is that as the remote mysql server is open to the internet, someone could potentially hack in and enter some stuff into the database fields. Now whilst I can check if someone has entered in their own username/password combo for free access, I don't at present checking the information in the fields. The user and password are passed straight on to the htpasswd command.
What should I be checking for in the fields to see if any dodgy stuff is passed through especially as the script is executed as root at present.
Should PHP safe mode be on for starters?Can I limit the exec dir in the php.ini just to /etc/squid/squid_passwd?
A potential security risk I see with this code is that as the remote mysql server is open to the internet, someone could potentially hack in and enter some stuff into the database fields. Now whilst I can check if someone has entered in their own username/password combo for free access, I don't at present checking the information in the fields. The user and password are passed straight on to the htpasswd command.
What should I be checking for in the fields to see if any dodgy stuff is passed through especially as the script is executed as root at present.
Should PHP safe mode be on for starters? Can I limit the exec dir in the php.ini just to /etc/squid/squid_passwd? Edit: I have added PHP's escapeshellcmd to the code, which strips out characters. I would still like to do the below though with permissions.
Do I:
- create new user scriptsuser
- chown the scripts to that user
- how do I then add permissions for the script to change anything in the /etc/squid/squid_passwd file, which is owned by root?
- in the cron I replace root path/to/scriptname with scriptuser /path/to/scriptname?
- that way any dodgy commands in the database transmission can only be run as scriptuser?
A potential security risk I see with this code is that as the remote mysql server is open to the internet, someone could potentially hack in and enter some stuff into the database fields. Now whilst I can check if someone has entered in their own username/password combo for free access, I don't at present checking the information in the fields. The user and password are passed straight on to the htpasswd command.
The first thing to do IMHO would be to see if you're reinventing the wheel. Check your distro's repo's. Then check Sourceforge, Freshmeat, Nongnu, Berlios and see if something like changepassword doesn't exist yet. Check if the tool uses the interpreter you want to use and if the project is still maintained.
Quote:
Originally Posted by qwertyjjj
What should I be checking for in the fields to see if any dodgy stuff is passed through especially as the script is executed as root at present.
Programming comes with a set of best practices. One of them is to never ever trust user input. On error try not to think for the user and correct things but reject it completely. See these Top 5 Security Tips at the shiflett.org (his web log makes for a good read wrt PHP security so please do), The Problem With PHP Application Security, part #7 of the LQ Security references.
Quote:
Originally Posted by qwertyjjj
Should PHP safe mode be on for starters?
If it's on by default you should aim to understand what it's about, what it affects, if it's a risk itself (0, 1, 2) what the risk of flipping the boolean will be and if there are supported alternatives like suPHP (note) (suPHP being meant for running as other unprivileged users, not root of course).
* I do realise you're between a rock and a hard place with respect to machine delivery time constraints vs configuring and hardening your server and I can only hope the posts I've made in the past days convey to you properly that most information is widely available even with rudimentary search-fu, that knowledge and self-reliance need to be actively cultivated and that, with all due respect, you should choose to think before you act. If that doesn't do it for you think about cost of investment: you can invest to read now resulting in a design for your system that makes it redundant, resilient and reasonably secure or you can cut corners and rush your server into production and then be forced to support it eternally while fixing breakage, dousing fires, patching things up. If that doesn't do it for you think about being a paying customer (if applicable): would you sink money into crappy service with breakage and downtimes going through the roof? Or would you rather trust a solid, smooth-running, hardened server with your business?..
Last edited by unSpawn; 08-17-2009 at 03:27 AM.
Reason: //more *is* more.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.