0

I want to work on a custom linux hosting control panel based on my experience in managing LEMP/LAMP stack. This is just a pet project. I believe I have ran into some hurdle.

The CP is being written in PHP and server by NginX as default server on port 8000. I am not using any framework, just vanilla PHP.

In putty, logged in as root, I can get the system uuid like this:

[root@localhost ~]# dmidecode -s system-uuid
997C4DE8-213B-4ACC-8E23-01E79D6CC12F

When I try this in PHP with the following script:

var_dump(shell_exec('dmidecode -s system-uuid 2>&1'));

I get the following:

sh: dmidecode: command not found

How can I execute that above command get the output in PHP?

Nginx/PHP-FPM is running as user nginx. Do i need to add nginx user to root group?

I want to be able to execute very specific commands like: /etc/init.d/php-fpm restart from my control panel (to restart php-fpm gateway).

How can I achieve this? What are my options? How does control panel like cPanel, DirectAdmin, etc... do it?

Update

I have tried the following method also. Installed sudo and used the sudo visudo command and added the following lines at the end:

nginx    ALL=(ALL)    NOPASSWD:/path/to/php_shell.sh
Defaults:nginx        !requiretty

and the content of php_shell.sh is:

#!/bin/bash
dmidecode -s system-uuid

Now, I tried to execute it like this:

var_dump(shell_exec('sudo sh /path/to/php_shell.sh 2>&1'));

I get: sudo: no tty present and no askpass program specified

Community
  • 1
  • 1
Latheesan
  • 23,247
  • 32
  • 107
  • 201
  • That specific error most likely stems from the `PATH` not including `/usr/sbin` per default. And generally: admin panels usually have a privileged daemon run, or use some setuid script to invoke system commands. – mario Oct 25 '15 at 13:58
  • 1
    How you to give extra privileges one quick and *very dirty* approach is to use sudo and give the sudo rights to your apache user. This is very bad for security. But the job will be done – Ôrel Oct 25 '15 at 13:59
  • @Ôrel when I try to use sudo in my command, I get this error: `sudo: sorry, you must have a tty to run sudo` (will this go away when i nginx sudo rights)? Is it bad for security because any hosted site that is exploiled be able to execute system commands? – Latheesan Oct 25 '15 at 14:03
  • The answer depends very much of the setup your distribution made which you did not tell us. It is very hard to give a general answer to such a question. – arkascha Oct 25 '15 at 14:08
  • 1
    http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password – Ôrel Oct 25 '15 at 14:09
  • @Ôrel I have updated my post with the attempt with using sudo, not having much luck. Any ideas? – Latheesan Oct 25 '15 at 14:52

1 Answers1

0

I have fixed it thanks to this solution: https://stackoverflow.com/a/30284644/2332336

This is what I had to do:

Installed sudo and used the sudo visudo command and added the following lines at the end:

nginx    ALL=(ALL)    NOPASSWD:/path/to/php_shell.sh,/bin/bash
Defaults:nginx        !requiretty

and the content of php_shell.sh is:

#!/bin/bash
dmidecode -s system-uuid

Now, I tried to execute it like this:

var_dump(shell_exec('sudo /bin/bash /path/to/php_shell.sh 2>&1'));

Output I get:

string(36) "997C4DE8-213B-4ACC-8E23-01E79D6CC12F"

Now that this is working, I just need to know if this will be secure since I am ONLY ever executing a set specific commands like dmidecode -s system-uuid and take no user input. Or, have I have opened some sort of security hole by adding nginx on visudo like that?

Community
  • 1
  • 1
Latheesan
  • 23,247
  • 32
  • 107
  • 201
  • If you only do `dmidecode -s system-uuid` you can have a root cron doing this command regularly and saving the output into a file than nginx can read. So nginx will only read this file. – Ôrel Oct 26 '15 at 07:47