Why does PHP backticks and SSH not return identical values?

Question

When I run ps cax with my ssh command line, I get the following:

user@dqeb ~ $ ps cax
PID TTY      STAT   TIME COMMAND
3277 ?        Ss    12:51 httpd
6797 ?        S      1:45 httpd
7190 ?        Ss     0:00 gpopd.pl
7291 ?        S      0:02 httpd
7303 ?        S      0:05 httpd
7309 ?        S      0:03 httpd
7336 ?        S      0:02 httpd
7361 ?        S      0:03 httpd
7419 ?        S      0:02 httpd
7426 ?        S      0:02 httpd
7427 ?        R      0:03 httpd
7440 ?        S      0:02 httpd
7457 ?        S      0:01 httpd
7468 ?        S      0:01 httpd
7504 ?        S      0:02 httpd
7743 ?        S      0:00 wrapper
7744 ?        Sl     0:00 java
7812 ?        S      0:00 qmail-local
7843 ?        S      0:00 qmail-local
7848 pts/3    R+     0:00 ps
8769 ?        Sl     0:00 sshd
8775 pts/5    Ss+    0:00 bash
9159 pts/2    S      0:00 su
9160 pts/2    S+     0:00 bash
9241 pts/5    S      0:00 gimap.pl
30334 ?        S      0:00 imap
30335 ?        S      0:00 imap
30340 ?        S      0:00 imap
30582 ?        Sl     0:00 sshd
30589 pts/3    Ss     0:00 bash

However, when I run the following PHP code:

$newline = chr(10);
$out = `ps cax`;
$out = str_replace($newline, '<br>', $out);
echo $out;

I get

7519 ? R 0:00 ps
15886 ? S 0:00 httpd
15890 ? S 0:00 httpd
15891 ? S 0:00 httpd
15917 ? S 0:00 httpd
15920 ? S 0:00 httpd
15930 ? S 0:00 httpd
15932 ? S 0:00 httpd
15933 ? S 0:00 httpd
16124 ? S 0:00 httpd
16125 ? S 0:00 httpd
16126 ? S 0:00 httpd
16128 ? S 0:00 httpd
16129 ? S 0:00 httpd
16130 ? S 0:00 httpd
16131 ? S 0:00 httpd
16134 ? S 0:00 httpd
16137 ? S 0:00 httpd
16138 ? S 0:00 httpd
16448 ? S 0:00 httpd

..and it goes on like that for quite long.

Why do I not see the same processes when I run the same command on the same server? I expected them to be identical.

Suspect there are `tab` symbols in the output but HTML renders as simple spaces. Try to render output in
element — phts, Mar 23 '15 at 13:17
I'm not talking about the formatting, but the actual processes. — Coert Grobbelaar, Mar 23 '15 at 13:25
Try this please : sudo su www-data ps cax If the process list is not complete please see my answer below. — Sofiane Sadi, Mar 23 '15 at 13:34
Are you running that script as httpd user? If so, it will only show processes available to that user. — Mike Brant, Mar 23 '15 at 14:11

Harikrishnan · Accepted Answer · 2015-03-24T03:36:29.487

4

When you run a PHP script via web browser it executes as www user, which is a less privileged one. You can only see those process owned by www. That's why you see only httpd that is apache child process. When you run the same script via shell it runs as the corresponding user (root or the username you have used to ssh). That user might have more privilege than www user. So you can see almost all process running in the system.

If you want to get same result when you execute script via browser you need to escalate privilege of www user, which is a security threat. Anyone browsing your website will get the same privilege and they can easily hack your server. So I won't recommend it.

edited Mar 24 '15 at 03:36

answered Mar 23 '15 at 15:49

Harikrishnan

9,688
11
84
127

1

Good answer. Now I need to find a safe way to run bash command from my php script as a certain user. Is the answer [here](https://stackoverflow.com/questions/6905697/how-to-run-script-as-another-user-without-password) a good way to go? Should I ask a new question? – Coert Grobbelaar Mar 24 '15 at 07:27
1

ie create a cron to execute the command and store the output in a file. Then just read the file and get the output. – Harikrishnan Mar 24 '15 at 08:28

Sofiane Sadi · Answer 2 · 2015-03-23T14:09:55.350

1

If you don't have root access: Create a file 'mypass.secret' [Enter your password user@dqeb password] And from php:

$newline = chr(10);
$out = `sudo -u user -S ps cax < ~/mypass.secret`;
$out = str_replace($newline, '<br>', $out);
echo $out;

if you have root access:

You should add www-data to your /etc/sudoers file:

sudo visudo -f /etc/sudoers
www-data ALL=(ALL) NOPASSWD: ALL

Then you should be able to grab all process using:

$newline = chr(10);
$out = `sudo ps cax`;
$out = str_replace($newline, '<br>', $out);
echo $out;

edited Mar 23 '15 at 14:09

answered Mar 23 '15 at 13:12

Sofiane Sadi

357
1
7

I'm guessing that the 'sudo -u user -S ps cax < ~/mypass.secret' part should be in backticks? – Coert Grobbelaar Mar 23 '15 at 14:02
What are the security implications of doing this? Won't it make the server more vulnerable to intrusion? – Coert Grobbelaar Mar 24 '15 at 07:23
The second one it will. The first one with the 'sudo -u user ...' should not really impact your server security. – Sofiane Sadi Mar 24 '15 at 09:44
3

I tried to ignore this, but I cannot. You should never ever ever allow the general public to run something as root. Sudo makes the command run as root. That is a major no no no no no. Your problem is that you want a process that, by design, should not be able to see all processes on the machine and you are trying to force it to see all processes on the machine. What you should be doing is asking yourself: Why did a large group of people design it such that this process could not see all the processes running on the machine? – kainaw Mar 24 '15 at 12:05
Yeah, I was honestly too scared of security issues to even try this – Coert Grobbelaar Mar 26 '15 at 14:10

Why does PHP backticks and SSH not return identical values?

2 Answers2