8

I have a PHP script which is called by HTTP and not as command line script. This script should call a shell command as an other user than the current webserver user www-data.

Example:

<?php echo shell_exec('sudo -u myusername -S /usr/bin/whoami'); // returns nothing :( echo shell_exec('whoami'); // returns www-data

When calling this 2 commands sudo -u myusername -S /usr/bin/whoami and whoami directly on the commandline they return 

myusername www-data

Also no result on this:

<?php echo shell_exec('echo "mypass" | sudo -u myusername -S /usr/bin/whoami');

For me it seems that sudo does not work at all together with PHPs shell_exec().

Improve this question
6
  • What does your sudoers file say about www-data? Commented Feb 4, 2011 at 11:14
  • Does this mean using php or just the command inside the quotes? "When calling this 2 commands directly on the commandline they return" Commented Feb 4, 2011 at 11:18
  • @MadHatter, there is nothing about www-data in the sodoers file, @Dennis: I changed the description to be clear. Commented Feb 4, 2011 at 11:20
  • Hmm I dont know weather PHP sanitizes PATH so maybe you should give full pathname to sudo, command. Commented Feb 4, 2011 at 12:17
  • I use already the absolute pathnames. Commented Feb 4, 2011 at 12:54

3 Answers 3

Reset to default
5

Firstly, I don't understand the sudo command you're running. sudo -u username is supposed to allow you, as user one, to sudo a command as user two, by saying (as user one, in this example, to run the command ls):

sudo -u usertwo ls

I apologise if you've tried to sanitise your commands above by substituting username for the real username, but I can't be sure you have done, so I need to raise this point first.

Secondly, sudo has to be configured to let a user perform a range of commands as another user. Let's start by allowing www-data to sudo the ls command as user fribble; you could test this by putting

www-data ALL = (fribble) NOPASSWD: ls

in your sudoers file (substituting a real user as fribble). Then try doing, say, ls -la /tmp from inside your PHP script and see if you get a directory listing.

I agree with James Lawrie that it's not a good idea to allow the www-data user to sudo arbitrary commands, as arbitrary users, passwordlessly, but if you clarify what commands you're trying to get www-data to run, this may be a sensible way to do it.

Edit:

you have tried with ls in the sudoers file and sudo -u user2 ls -al /tmp in the PHP script, and you get a directory listing, which strongly suggests that sudo works fine with PHP.

To be sure, could you allow /bin/touch in the sudoers file, put sudo -u user2 touch /tmp/TESTFILE in the PHP script, then execute that? If a file /tmp/TESTFILE appears, owned by user2, we can be sure that sudo and PHP work fine togther.

I must confess that if I had known that you were trying to sudo java, I would never have answered the original question, because I think java is a giant unpredictable sack of crap, which behaves like a complete baby if it doesn't get the environment it requires (and sudo fairly rigorously sanitises the environment). But at least the test above should help you be sure that, whatever the problem here is, it's not an issue with PHP and sudo not playing nicely together.

Improve this answer
12
  • Thanks for the answer I will try it, I changed username in the example above. It was meant to be the real user name I want to use. Commented Feb 4, 2011 at 11:37
  • It does not work, I added the www-data and the other users name and the command. Commented Feb 4, 2011 at 11:59
  • Could you put your sudoers entry into the question above? Commented Feb 4, 2011 at 12:02
  • www-data ALL = (myusername) NOPASSWD: /usr/bin/java Commented Feb 4, 2011 at 12:54
  • I didn't suggest trying it with java, I suggested trying it with ls. ls is a somewhat lighter-weight command with more predictable output, which will hopefully give us some idea if sudo is being called or not. You are of course under no obligation to try anything suggested here, but it's probably not helpful to say you're trying it when in fact you're trying something different. Commented Feb 4, 2011 at 13:28
1

Don't allow the webserver user sudo access, you're just asking for trouble. Look into the setuid bit instead:
chmod u+s some_file_that_needs_executing_as_another_user.pl
Whenever that file is executed, it will be effectively executed by the user who created it.
On a side note, I'm pretty sure you can't pipe a password into sudo or passwd.

Improve this answer
1
  • I have the command to be executed already, and it is dynamically created so I can't place it before the execution in an other file. Commented Feb 4, 2011 at 11:43
0

If you want to give special permissions to the web server process running as www-data user, you can do one of the following:

1- Add the www-data to sudoers file, so that it can execute the required command/script without asking for a password.

2- Enable the suexec apache module. This enables you to change the user from www-data to some other privileged user per virutal host. So, you don't need to change the user for the whole server.

Improve this answer
2
  • I don't want to run the whole www-data user with extended rights, but only when executing this single command. Commented Feb 4, 2011 at 11:42
  • In the same way you allow users to run commands with sudo you can restrict the commands a sudoing user can run eg: www-data ALL=(ALL) /usr/bin/whoami Commented Feb 4, 2011 at 14:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.