Jump to content
Sign in to follow this  
veysel

Php does not execute bash command

Recommended Posts

Hello,

I am mounting google drive to my raspberry pi with this command from command line;

sudo gdfs -o allow_other /var/www/html/gdfs.creds /media/pi/gdrives

İt is working from command line, but it is not work when i execute it from web browser. Here php content;

shell_exec("sudo gdfs -o allow_other /var/www/html/gdfs.creds /media/pi/gdrives");

and i changed my sudoers file giving permission www-data. here is my sudoers file content

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
www-data ALL=NOPASSWD: ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Can anyone tell me what i am doing wrong ?

Share this post


Link to post
Share on other sites

While you are playing with fire giving users access to a root command, the sudoers file needs the user running the script. It is probably 'apache'.

Share this post


Link to post
Share on other sites
3 hours ago, gw1500se said:

While you are playing with fire giving users access to a root command, the sudoers file needs the user running the script. It is probably 'apache'.

Thank you, should i change something in apache ?

Share this post


Link to post
Share on other sites

No,  you should change the sudoers file to allow user apache to run that command. However, before you get yourself in trouble, please explain why you need web users to run restricted commands. Perhaps we can come up with a safer alternative.

  • Like 1

Share this post


Link to post
Share on other sites

Actually i solved the problem, when user click the button i write this to .txt file. Then i am checking every second .txt file wheter there is a changing, if there is changing i am running my python script. But i would like to know your safer alternative  and do you think my sudoers file unsafe ? if it is, can you give me example that trouble my system.

Share this post


Link to post
Share on other sites
1 hour ago, veysel said:

But i would like to know your safer alternative  and do you think my sudoers file unsafe ?

Is granting the ability for your web user to run any command as root without a password unsafe?  Absolutely, you might as well just run your web server as root if your going to do that.

If you're going to use sudo, then you want to limit the commands that can be run to exactly what is necessary.  For example, at one point I had a page that would allow resetting an email password and the process to do so required root.  I created a shell script with all steps necessary and I added this to my sudoers file:

www-data        ALL = NOPASSWD: /root/bin/reset-mailbox-password

That allowed my public-facing web page to execute that command and only that command as root with sudo.  That way if there were ever a security issue in the future that gave someone shell access as www-data they couldn't just run whatever they wanted to sudo and further compromise the machine.

 

  • Like 1

Share this post


Link to post
Share on other sites

Thank you, actually i give all permision to www-data  to be able to run this command from web page:

shell_exec("sudo gdfs -o allow_other /var/www/html/gdfs.creds /media/pi/gdrives");

But, i could not execute it, fortunately i had a "B" plan as explain above(write .txt file if clicked, and check every second .txt file if there is changing, then run command from command line)

I will take care your advice , and i will not give all permission to www-data. Maybe i can give some permission to  www-data as your example

Edited by veysel

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.