2

I'm trying to use vpopmail's vadddomain to add new virtual domains. Since apache user has no access to vpopmail's binaries I cannot exec('../bin/vadddomain...') directly from PHP.

I made a shell script (adddomain.sh) as below:

#!/bin/bash
 cd /home/lxadmin/mail/bin
 ./vadddomain $1 postmaster_password

And appended this line to /etc/sudoers using visudo (forget about security for now):

ALL ALL=NOPASSWD: /home/lxadmin/mail/bin/adddomain.sh

I have something like this in my PHP script:

exec('sudo /home/lxadmin/mail/bin/adddomain.sh example.com', $output);

But this is not working at all (domain example.com will not be added to vpopmail). But when I run this command through SSH and with root user, it works.

Can anyone tell what is my problem here?

  • 1
    Seems simular to: http://stackoverflow.com/questions/3173201/sudo-in-php-exec – axel.michel Dec 25 '12 at 11:43
  • @WaleedKhan which file exactly? by the way I `chmod`ed `adddomain.sh` and `vadddomain` and my php file with no luck :( –  Dec 25 '12 at 11:45
  • Are you sure you want to call a root command from your php? But I suggest to get the file `/etc/sudoers` and add the command you would like to use tot that specific user. http://www.debian-administration.org/articles/33 – Jelmer Dec 25 '12 at 11:48
  • Three suggestions here: Use -- so people can't pass options to vaddomain! Don't leave $1 unquoted! `./vadddomain -- "$1" postmaster_password`. Use && between the cd and ./vadddomain commands (or set the shell -e option), in case someone manages to prevent cd:ing to /home/lxadmin/mail/bin. Then they can run ANY command as root by making their own script in the current directory and naming it vaddomain. – potrzebie Dec 25 '12 at 12:12
  • @potrzebie Thank you for these really good suggestions, but I'm not concerned about security for now. I want commands to just simply work :p –  Dec 25 '12 at 12:23

1 Answers1

1

This should be possible by adding the webmaster-user tot the /etc/sudoers file and simply accept that user to use the command you are willing to use. I do not recommend to use the sudo command directly in your php since you probably have to store the password for this somewhere, which off course you do not want! You don't want to post your password by accident somewhere or another developer which you don't want to have root privileges to your code.

Another big downside of simply using root commands is that WHEN you have a security breach in your code, that I can run sudo commands through for example a form. Be very careful with the privileges.

Ps. I'm new to SSH and setting up users privileges as well, so please correct me if I'm wrong. But this is what I know.

Jelmer
  • 2,663
  • 2
  • 27
  • 45
  • I'm not concerned about security because its a development environment that I'm working in. I want the code and permissions to just simply work! –  Dec 25 '12 at 11:53
  • About the password part you mentioned i guess i can use password-less `sudo` to prevent using clear password in code. –  Dec 25 '12 at 11:55
  • You ARE concerned, but you want it SIMPLY to work. I think you meant `I'm not concerned about security ...` ? – Jelmer Dec 25 '12 at 11:55
  • sorry my bad ;) I mean I'm NOT concered. –  Dec 25 '12 at 11:56