[RESOLVED] shell_exec returns permission denied

mikie46

Is it possible to run shell_exec on a file owned by root:wheel if the user executing it is admin?

I have a very simple script. It restarts a service;


#!/bin/sh
if [ "$1" = "" ]
 then
  BASE="/mypath/myservice";
 else
  BASE=$1;
fi
export BASE
echo Stopping service $BASE
pidfile=$BASE/pid
kill `cat $pidfile` <-- fails here with permission denied

If i call this script using shell_exec from my php script it get the following results

Stopping service /mypath/myservice
rm: /myservice/mypath/pid: Permission denied

pid is owned by root:wheel as in Freebsd ownerships

The script is running as admin. What can i do? I have tried everything without results.

Help!

cahva

If the shell script itself is root:wheel it doesnt mean that it will be executed with that user. If you run the php script from webserver(as a php-module) the user is www(or whatever you have set the webserver to be). If you want to test this you can put "whoami" command to the script 😉

I have couple of important tasks that need to be run as root(deleting and chowning directories mostly). I created a mysql table where I insert data which is read by a script that is timed to run every minute in root's cronjob.

mikie46

So why cant i delete a pid file if the bash script is owned by root:wheel? Its not failing there, it fails on delete command on the file owned by root:wheel. How do i overcome this annoyance?

Horizon88

It's not an "annoyance", it's a crucial security feature. But anyways, cahva already said - the shell script runs as the user calling the webserver, NOT as who the file is owned by. So, user www is who starts the webserver, say Apache, and then Apache (running as www) access your script which is owned by root. However, since it's user:www accessing the script, that's all the permissions it has to run - NOT root permissions, because permissions for executing files are based on the user's permission levels.

Think of it as calling rm -rf /; as a user - sure, you can call it, but you can't delete everything, because you aren't root - the script runs with YOUR permissions, not root's.

How you over come this, now, is come up with another solution - cavha suggested a mysql table to be checked by roots cron job. That's one way.

You could also possibly issue a sudo or su command to elevate the webserver's permissions while executing that script, but I'd recommend against that, personally.

You could also find a different way to do it - instead of calling it from a php script, maybe use a cron job. Personally, I think cahva's solution of using a database and a cron job is pretty cool.

You could also give the webserver root permissions, I suppose >.<

mikie46

I understand the security issue but my understanding was that shell_exec would execute any command thrown at it no matter what. You see all the script kidding including shell_exec in their trojan scripts for instance yet they have no issue with permissions issues even if they drop that script into a user webspace where nothing is owned by root.

The db sounds fine but thats too much work quite frankly. All the script does is restart a processes after a file has been updated.

cahva

The mysql table thingie was just a way for me to do things. You could do it simpler way just by using a file. When you want to stop the service, in your php script create an empty file:

$dir '/path/to/directory/';
$fp = fopen($dir.'stopservice','w');
fclose($fp);
// You could also use touch() function.

Then in the cron script:

$f= '/path/to/directory/stopservice';
if (file_exists($f)) {
    shell_exec('/bin/sh /somewhere/stopservice.sh');
    unlink($f);
}

So its not so complicated is it? 🙂

NogDog

mikie46 wrote:
...The script is running as admin....

No, you may be logged into the web site as user 'admin', but the script is being run by the web server user (typically 'www' or 'nobody' on Apache) when called from a PHP web page. That user does not have root 'superuser' capabilities, and cannot even delete a file that is owned by your admin or other server account unless you grant write permission to the world on that file. Likewise, that user cannot kill processes it does not own. Sure, you can execute any command you want from shell_exec() (assuming no restrictions have been put on it), but that does not mean you have permission to actually perform any action you want (just as a normal user might be able to enter the command '/usr/sbin/shutdown' in a telnet terminal, but all he's going to get as a result is a "permission denied" error).

mikie46

Thank you all. What cahva said sounds good. I may also implament sudo.

buggin

I am having a bit of a problem that is closely related to this one. I am learning PHP and would like to know how to use cron, or solve the following problem.

I need to execute a windows exe in order to process a data file into something useful.

In the terminal (ubuntu) I can cd to the directory and enter: wine extractor.exe and a data.txt file is created in the same directory.

I have been pulling my hair out trying to get php to do the same thing.

Both the exe file and the folder have the same permissions as apache.

PWD gives me the correct directory path and whoami gives the correct user

What is the correct syntax I have tied several different ways none of them work:
shell_exec('wine extractor.exe < /var/www/processed/');
or
shell_exec("/usr/bin/wine /var/www/processed/extractor.exe");
or
shell_exec("wine extractor.exe");

Please give me some guidance.
Thanks,
Buggin

Horizon88

You really should start a new thread for this, but you have your < symbol pointed the wrong way in your first example.

shell_exec('wine extractor.exe > /var/www/processed/');

could work, if you're wanting the output of extractor.exe to go to the processed directory.

You also should check if the user (www or nobody, maybe apache) that your webserver runs as has permissions to run wine.