-   Ubuntu (
-   -   Running a single command/script as root user through Apache/PHP (

nonshatter 02-05-2012 11:38 PM

Running a single command/script as root user through Apache/PHP

I have a requirement to execute a python script as root user through the browser.

I have a PHP web script which I want to shell out of and call a python script (The python script utilizes the selenium firefox web driver to capture automated screenshots). The python script needs to be run under the root environment.

I know it's not recommended to give root access to www-data, but it is the only way I can see that this will work.

The PHP call I am using is shell_exec, then I am trying to pipe a password through so it can be run as root:

PHP Code:

shell_exec("echo 'root_password' | sudo -u root -S python /usr/sbin/webdriver 'arg1' 'arg2'"); 

Is there a way to allow www-data to run the script as root? Preferably I would only like to give Apache root access to this one command, so that I'm not left with a completely vulnerable system - I have heard that the sudoers file can be edited to permit www-data to run certain commands as root? Bare in mind that the python script may invoke several other processes such as firefox, Xvfb etc.


www-data ALL=(ALL) NOPASSWD: executable_full_path
In this example, would the executable_full_path be the path to python? Or the path to my python script?

Nb: I have the default visudo config for Ubuntu 10.04.01 LTS:


# /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

Thanks and Regards,

nonshatter 02-06-2012 12:34 AM

I have managed to get it working!

By editing the sudoers file, I have given www-data root permissions to run the python script:


# User alias specification
www-data ALL = NOPASSWD: /usr/bin/python,/usr/sbin/webdriver

I am not sure if I need both the path to python and the webdriver script, or if I can remove one of them. Nevertheless, it works and I'm happy.


All times are GMT -5. The time now is 08:38 PM.