Php does not execute bash command

[veysel]

Hello,

I am mounting google drive to my raspberry pi with this command from command line;

sudo gdfs -o allow_other /var/www/html/gdfs.creds /media/pi/gdrives

İt is working from command line, but it is not work when i execute it from web browser. Here php content;

shell_exec("sudo gdfs -o allow_other /var/www/html/gdfs.creds /media/pi/gdrives");

and i changed my sudoers file giving permission www-data. here is my sudoers file content

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
www-data ALL=NOPASSWD: ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Can anyone tell me what i am doing wrong ?

[gw1500se]

While you are playing with fire giving users access to a root command, the sudoers file needs the user running the script. It is probably 'apache'.

[veysel]

3 hours ago, gw1500se said:

While you are playing with fire giving users access to a root command, the sudoers file needs the user running the script. It is probably 'apache'.

Thank you, should i change something in apache ?

[gw1500se]

No,  you should change the sudoers file to allow user apache to run that command. However, before you get yourself in trouble, please explain why you need web users to run restricted commands. Perhaps we can come up with a safer alternative.

[veysel]

Actually i solved the problem, when user click the button i write this to .txt file. Then i am checking every second .txt file wheter there is a changing, if there is changing i am running my python script. But i would like to know your safer alternative  and do you think my sudoers file unsafe ? if it is, can you give me example that trouble my system.

[kicken]

1 hour ago, veysel said:

But i would like to know your safer alternative  and do you think my sudoers file unsafe ?

Is granting the ability for your web user to run any command as root without a password unsafe?  Absolutely, you might as well just run your web server as root if your going to do that.

If you're going to use sudo, then you want to limit the commands that can be run to exactly what is necessary.  For example, at one point I had a page that would allow resetting an email password and the process to do so required root.  I created a shell script with all steps necessary and I added this to my sudoers file:

www-data        ALL = NOPASSWD: /root/bin/reset-mailbox-password

That allowed my public-facing web page to execute that command and only that command as root with sudo.  That way if there were ever a security issue in the future that gave someone shell access as www-data they couldn't just run whatever they wanted to sudo and further compromise the machine.

 

[veysel]

Thank you, actually i give all permision to www-data  to be able to run this command from web page:

shell_exec("sudo gdfs -o allow_other /var/www/html/gdfs.creds /media/pi/gdrives");

But, i could not execute it, fortunately i had a "B" plan as explain above(write .txt file if clicked, and check every second .txt file if there is changing, then run command from command line)

I will take care your advice , and i will not give all permission to www-data. Maybe i can give some permission to  www-data as your example

Edited September 12, 2020 by veysel