0

I have a php page.

It calls a validation bash script that checks variables passed from the php page.

I then call another bash script that I need to execute under root user. I have followed the guide here How to run from PHP a bash script under root user and still can not get script to execute as root.

I have the following:

php page

$bashFile = shell_exec('./Validation.sh "'.$coinName.'" "'.$coinNameAbreviation.'" "'.$blockReward.'" "'.$blockSpacing.'" "'.$targetTimespan.'" "'.$totalCoins.'" "'.$firstBitAddy.'" "'.$seedNode.'" "'.$seedName.'" "'.$headline.'" ');
echo "<pre>$bashFile</pre>";

the validation file:

sudo nohup /bin/bash /usr/sbin/CoinCreationBashFile "$coinName" "$coinNameAbreviation" "$blockReward" "$blockSpacing" "$targetTimespan" "$totalCoins" "$firstAddyBit" "$seedNode" "$nameSeedNode" "$headline" "$blocksPerDay" "$startingDifficulty" >> /tmp/BASH2log.txt 2>&1 &

I have added 

www-data ALL=NOPASSWD /usr/sbin/CoinCreationBashFile

to the end of the sudo visudo

and did:

chown root:root /usr/sbin/CoinCreationBashFile
chmod 755 /usr/sbin/CoinCreationBashFile

was running it from usr/sbin from suggestion here http://ubuntuforums.org/showthread.php?t=1848069 Can anyone see what I am doing wrong?? Many thanks edit: I can run the CoinCreationBashFile script without the sudo command and it runs ok up to one point where it needs root priv... so i know the script working, and executing from the terminal the script runs perfectly as desired. output in tmp/BASH2log.txt

sudo: no tty present and noaskpass program specified
Community
  • 1
  • 1
Fuzzybear
  • 1,388
  • 2
  • 25
  • 42
  • maybe your www server uses different user account (not www-data)? – gawi Aug 08 '13 at 22:04
  • when i run top in the terminal on the server that is the user that is executing all the processes – Fuzzybear Aug 08 '13 at 22:07
  • 1
    can you clarify if you succesfully ran the script as www-data user without password? – gawi Aug 08 '13 at 22:34
  • yes script can be run when i typed sudo -u www-data /usr/sbin/CoinCreationBashFile var1 var2 var3 – Fuzzybear Aug 08 '13 at 22:44
  • 1
    This is not an answer to my question. Did you try to su to www-data (sudo -u www-data bash) and then run a script (sudo /usr/sbin/CoinCreationBashFile var1 var2 var3) – gawi Aug 08 '13 at 22:49
  • Thank you for clarifying the correct test for this and yes the script can run when logged in as www-data by typing su www-data, then running sudo script var1 var2 runs script fine no password prompts – Fuzzybear Aug 08 '13 at 23:12
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/35114/discussion-between-peter-and-gawi) – Fuzzybear Aug 08 '13 at 23:36

3 Answers3

2

This question is similar to sudo in php exec() and they did not arrive at a conclusion.

In your case, since only one bash script needs to be executed in this fashion, considering using setuid instead:

$ su
[enter password]
chown root:root something.sh
chmod 4755 something.sh
exit

Note: Some Linux distributions disable setuid for shell scripts by default for security reasons.

Update: Apparently no commonly used Linux distribution today allows setuid on shell scripts. Perl used to be the exception, but suid-perl is now deprecated.

The only way to execute your bash script using this method is to invoke it from a compiled binary. See the example with the C code on how to do this.

Community
  • 1
  • 1
Niklas Lindblad
  • 1,031
  • 6
  • 9
  • I was wondering if the linux disabled setuid... am on ubuntu 12.04 for the OS. Have run chown root:root /usr/sbin/CoinCreationBashFile and chmod 4755 /usr/sbin/CoinCreationBashFile from the terminal.. was wondering if the link guide was saying to make seperate bash file to change the user.. but would have thought that done now I have run it as root from terminal – Fuzzybear Aug 08 '13 at 22:35
  • 1
    @Peter Updated my answer after some research. – Niklas Lindblad Aug 09 '13 at 12:17
  • solution i used was to get php page to write out variables to a txt file in empty directory. At the start of my bash script that php page was calling it now searches for a .txt file in the empty directory, if no txt file then exit, if there is then extract variables and run cron job. Many thanks for your help Niklas – Fuzzybear Aug 14 '13 at 14:55
2

I recently published a project that allows PHP to obtain and interact with a real Bash shell, you can easily get a shell with root. Get it here: https://github.com/merlinthemagic/MTS

After downloading you would simply use the following code:

$shell    = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);

$strCmd = "/usr/sbin/CoinCreationBashFile ".$coinName." ".$coinNameAbreviation." ".$blockReward." ".$blockSpacing." ".$targetTimespan." ".$totalCoins." ".$firstAddyBit." ".$seedNode." ".$nameSeedNode." ".$headline." ".$blocksPerDay." ".$startingDifficulty." >> /tmp/BASH2log.txt 2>&1 &";
$return1  = $shell->exeCmd($strCmd);

//if there is any return from the script you can wait for the return
//or you can trigger like you have it now and get no return.
MerlinTheMagic
  • 575
  • 5
  • 16
  • What are the security risks associated with this? – Fuzzybear May 20 '16 at 11:16
  • 1
    Since you require root permissions the project i built achieves that in one of 2 ways: You allow apache the right to sudo python OR you pass root credentials to the object every time you need a shell with root setup. Allowing sudo to python is a real concern, but so is passing root credentials in the script. Letting PHP anywhere near root is always tricky. Pick your poison. :) – MerlinTheMagic May 20 '16 at 11:25
1

You have a typo in visudo entry. There is no R in the NOPASSWD. It should be:

www-data ALL=NOPASSWD /usr/sbin/CoinCreationBashFile
gawi
  • 2,843
  • 4
  • 29
  • 44
  • good spot but unfortunately only a typo in the question on here.. in code it was PASSWD and still does not work :( – Fuzzybear Aug 08 '13 at 22:31