0

I want to reload my nginx after some scenarios on my php web application with exec_shell function in php like this :

shell_exec('sudo sh /var/www/camva/subdomain.sh');

This code run after every request for reloading nginx on my route.php file.

Also my subdomain.sh shell file contains :

#!/bin/bash
sudo /etc/init.d/nginx restart

But I give this response after every request :

Reloading nginx ... fail !

I don't know why this scenario happened but I can run this command in my root with terminal command same as "sudo /etc/init.d/nginx restart" and give correct response about reloading nginx !

Thanks for your help.

Vahid Taghizadeh
  • 997
  • 8
  • 9
  • Did you add your nginx user and your command to your sudoers file? Take a look at this http://stackoverflow.com/q/3166123/1301076 – rjdown Nov 30 '14 at 01:19

1 Answers1

-1

To haphazard a guess, you're trying to execute a shell script as root using an account that probably doesn't have root access. Nginx should be running as a user that does not have root access. What you can try to do is to chmod the permissions on the script file accordingly so that it runs as root even when another user activates it.

First make root the owner of the script you want to run (subdomain.sh). Run these commands in CLI, not in your script.

sudo chown root.root /var/www/camva/subdomain.sh

Then make the script file executable by all and writable only for root.

sudo chmod 4755 /var/www/camva/subdomain.sh

Now the nginx user should be able to execute the script but not change the file content.

That said, I'm wondering why you need to reload the server and if, perhaps, there's a better solution to the overarching problem you are trying to solve.

I will point out that adding your nginx user to the sudoers file is absolutely not the right answer and poses security concerns.

user239546
  • 466
  • 3
  • 7
  • I create subdomain for users and create vhosts files for every users. I need nginx reload for vhosts working. – Vahid Taghizadeh Nov 30 '14 at 01:39
  • @user239546 on the contrary, the sudoers file is EXACTLY the right thing for this. It is, in fact, the reason why it exists. The link I posted under the OP's question should help clear up your confusion with security. You sure as hell don't want to be running anything as root. Yikes. – rjdown Nov 30 '14 at 01:41
  • Ah I see. I've used the above permissions approach a few times in cases where I had no other approach for one thing or another I wanted to do in Jenkins. – user239546 Nov 30 '14 at 01:44
  • rjdown - adding nginx user to sudoer gives a malicious injection the ability to run "SUDO" commands pretty freely on the box hosting the server. My solution - while still not ideal - prevents a malicious user from breaking out of the constraints of what the script already does. – user239546 Nov 30 '14 at 01:49
  • "adding nginx user to sudoer gives a malicious injection the ability to run "SUDO" commands pretty freely on the box hosting the server" - NO! It will be limited ONLY to the commands that you list, e.g. `/etc/init.d/nginx restart`. Again, that is the WHOLE POINT of the sudoers file. Please, go read the manual before you touch another server. – rjdown Nov 30 '14 at 02:43
  • I never said it would be tied to the COMMAND. I said it would be tied to the SCRIPT which runs the command (and I would assume others, since it's a script he's running and not just an OS shell command). My solution is entirely valid and your rage rant is based on anecdotal assumptions on the OPs intent. – user239546 Nov 30 '14 at 04:55
  • I made no assumptions, the OP's issue and intent is perfectly clear. Sorry if I upset you by dismissing your bad habits, but it is for a good reason. It's not a "rage rant", it's a correction of poor judgement. Please, PLEASE for the sake of your own security, do a little research. – rjdown Nov 30 '14 at 06:21
  • I was about to argue a little further and just realized we're in /var/www/* directory here. This script shouldn't be there - it doesn't matter which of our methods is used. – user239546 Nov 30 '14 at 06:39
  • http://en.wikipedia.org/wiki/Setuid <- To educate rjdown a little further (and anyone prone to believing someone just because they talk insultingly) this is what I am doing here. If you really want to get into knowing what you're actually talking about here head on over to overthewire.org or any other teaching site out there - there's a lot of them. They explain buffer overrun and path injection (the doing and avoiding) IN DEPTH. Security is about knowing the internals of what you're working on. Not proselytizing golden rules that don't port to all linux distros. – user239546 Nov 30 '14 at 18:35
  • "don't port"? which distro uses sudo but not sudoers? Suggest you read your own comment "Security is about knowing the internals of what you're working on". There's nothing wrong with proselytizing GOOD PRACTICE. Thankfully, others agree and the question has been marked as a duplicate of the one I linked to. I hope you learn something from that. – rjdown Dec 01 '14 at 00:26