php CGI

fatook · 08-30-2010, 03:08 PM

i want to run shell scripts in web with php.it worked in simple command like :
<?php
$output = shell_exec('ls -lart');
echo "<pre>$output</pre>";
?>
but when i test with command like "service iptables start" it dosent work.because of limit access.
i think in the browser,php is runng under one user,bu when u run it in bash,it is likely running with your user premmission(root)
i added "chmod +x ..." to command but it dosnt work yet!
plz help.tanxxx

Hangdog42 · 08-30-2010, 03:27 PM

Welcome to LQ!

Quote:

but when i test with command like start or stop iptables it dosent work.because of limit access.

No offense, but trying to do this is a PHENOMENALLY bad idea. Maybe if you explain a bit what you would like to accomplish we could point you in a more appropriate direction. But your hunch is right, it is a permissions issue.

By the way, please, please, PLEASE don't use text abbreviations here. It is annoying and unnecessary.

fatook · 09-02-2010, 08:21 AM

Quote:

Originally Posted by fatook

i want to run shell scripts in web with php.it worked in simple command like :
<?php
$output = shell_exec('ls -lart');
echo "<pre>$output</pre>";
?>
but when i test with command like "service iptables start" it dosent work.because of limit access.
i think in the browser,php is runng under one user,bu when u run it in bash,it is likely running with your user premmission(root)
i added "chmod +x ..." to command but it dosnt work yet!
plz help.tanxxx

hi.english is my secode language so sorry for any mistake.anyway tanx 4 help.my problem is solved.
solution:

i added "apache ALL=NOPASSWD : ALL" to "/etc/sudoers" file
and make COMMENT " Defaults requiretty" to "/etc/sudoers" file

i can do "# service iptables start " or ...

now the the problem is that i have GUI "dialog utility " in my scripts.when i run it in web it dosent work and the errors are so strange.its like that i cant run dialog utility in web.what do u think about it?tanx

unSpawn · 09-02-2010, 09:34 AM

Quote:

Originally Posted by fatook

i added "apache ALL=NOPASSWD : ALL" to "/etc/sudoers" file

You seem capable of fscking up your system all by yourself pretty much OK. You don't need help. You need a lecture.

Hangdog42 · 09-02-2010, 03:13 PM

Quote:

Originally Posted by fatook

i added "apache ALL=NOPASSWD : ALL" to "/etc/sudoers" file
and make COMMENT " Defaults requiretty" to "/etc/sudoers" file

Honestly fatook, I've thought about whether or not to say this, but I have to.......

If this isn't the single worst idea I think I've ever seen posted here at LQ, it is certainly in the top 5. Please rethink this approach because it is an open invitation to become a spam-spewing monstrosity and those of us out here don't need any more spam.

Noway2 · 09-04-2010, 07:43 AM

Fatook, I agree that you really need to think about what you are doing here. It seems you are new here and we don't know what your level of expertise is. Do you understand what these commands do and what you are doing? If not, you really need to learn. We can help you with that, but you need to help us to help you.

fatook · 09-05-2010, 01:12 PM

Hangdog42 & Noway2
i dont know what is ur problem with me!u can only make criticism.i cant undrestand,why u answer my question if u know anything about this?!!

Hangdog42 · 09-05-2010, 01:33 PM

Why are we criticizing you? Because you haven't explained what problem you're trying to solve and the "solution" you've presented here is completely ridiculous from a security perspective. Essentially you've give Apache root capabilities and if anyone exploits your server, then THEY will have root capabilities. Is that what you really want?

Believe it or not, we're actually trying to HELP you by pointing out that your approach isn't very well thought out and we would be more than happy to make some suggestions if you would just state what it is you are trying to do. We can see you're trying to run shell scripts from a web page, but we need to know why you are trying to run these sorts of commands from a web page.

fatook · 09-08-2010, 04:24 AM

i wrote a firewall with dialog utility(GUI) in fedora.i want to run it in web.this is the story.
any way unfortunatly today i relyed that dialog is CLI utility and it will never ever work with web browser.so even my ridiculous solution is not work!i have no idea.i think i should start all of my project from the first and write it with php.is this right?

Hangdog42 · 09-08-2010, 07:27 AM

Quote:

i wrote a firewall with dialog utility(GUI) in fedora.i want to run it in web.this is the story.

OK, but maybe you want to look at how it has been done elsewhere for some ideas. Take Webmin for example, it runs in a completely separate web server from Apache. This means that if Apache gets cracked, Webmin isn't going to be affected. You can also treat Webmin differently. For example on my server, Apache is accessible from the Internet, but Webmin is only accessible from my LAN. I could also lock it down further so that it is only accessible from certain computers on my LAN.

Quote:

.i think i should start all of my project from the first and write it with php.is this right?

To be honest, I think you should rethink the approach entirely. Is there really a reason for needed access to the firewall via the web? There may be, but you haven't made it clear why you think this is a good approach or why it is needed.

The other thing to re-think is the way you're using sudoers. I think that is what got most of us concerned. If you look at the sudo changes you made, apache now has complete root access. This also means that if ANY website being served by Apache gets cracked, you've given the bad guys root access, and they can do whatever they want with your machine.

As for using PHP, you do need to educate yourself about the security aspects of PHP. There are some PHP configurations that if not done properly, can leave your website wide open to exploits. PHP exploits represent a ridiculous amount of the total exploits out there, so you really want to do your homework on PHP security.