NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

Michele Waldman mmwaldman at nyc.rr.com
Fri Jul 31 19:33:12 EDT 2009 

So I rewrote the code in bash due to my client's concern about bandwidth.

Here's my new problem:
$msg = exec("echo $password | sudo /home/user/site_util/copy_sites $id 2>
/dev/null");

The script isn't running.

Since it's running from http, I modified the user nobody to have /bin/bash
in /etc/passwd and gave the user a password.

I can login to the server as nobody and run this code on the command line.
Works fine.

Does anyone know why this execute isn't working in php?

Michele

> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> On Behalf Of Kenneth Dombrowski
> Sent: Friday, July 31, 2009 7:33 AM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] SSH2_CONNECT
> 
> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
> > Most probably your PHP script will be running under the same username as
> > Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
> > wouldn't want to give www or nobody sudo privilege anyway!).
> 
> All this talk about sudo not working made me curious -- why shouldn't it
> work?  It will, and a well configured sudo offers a very fine level of
> control -- though whether one wants to do it is another question
> 
> # visudo
> Defaults:www-data       !lecture
> Defaults:www-data       !authenticate
> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
> 
> The first two lines get rid of sudo's usual prompts, since it will never
> run interactively, & the last specifies a single command + argument
> www-data is allowed to run as kenneth (you can use shell-style globs)
> 
> # sudo.php
> <?php
> header('Content-type: text/plain');
> $f = '/tmp/sudoer.apache';
> system("sudo -u kenneth /usr/bin/touch $f");
> print "\n$f exists? " . (bool) file_exists($f);
> 
> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
>    /tmp/sudoer.apache exists? 1
> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
> 
> So on debian, www-data successfully created a file as kenneth.  On FreeBSD
> I think www/nobody/whatever has a /bin/false shell, so there it won't
> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
> somebody will tell me you shouldn't do it at all, but its not due to a
> technical limitation
> 
> 
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/show_participation.php

More information about the talk mailing list