0

Sorry for the vague title, but I don't know how better to describe this problem...

I have one PHP function whose job it is to create a customer, named, simply customer.php. Part of the script looks like this:

//...code above...
require_once(realpath(dirname(__FILE__)."/cron.php"));
//....more code below...

The cron.php that it refers to is literally just three lines of code, and two of them are logging calls (those functions reside in an imported script in customer.php, and they ARE working, as shown below):

<?php
saveLog("cron.php PRE custname= $custname by ".get_current_user());
$tmp = exec("sudo ./addcron.sh $custname", $output);
saveLog("cron.php POST tmp=$tmp output=".formatArray($output));

The addcron.sh file looks like this:

#!/bin/bash
echo "* * * * * www-data /usr/bin/php -f /path/to/cron.php" > $1
chown root:root $1
mv $1 /etc/cron.d/

When I execute the customer.php file I see the log records, like so:

cron.php PRE custname= test123 by root
cron.php POST tmp= output=Array()

So I know that the $custname variable -- literally the only thing I pass -- is getting populated correctly.

I created a test.php file which is a stripped-down version of the customer.php file. It looks entirely like this:

<?php
require_once("../../local_functions.php");
$custname = "xyz".date('YmdHis');
require_once(realpath(dirname(__FILE__)."/cron.php"));

Note that all four of these files, cron.php, customer.php, test.php and even addcron.sh all reside in the same directory. They are all owned by root.

The odd thing is: when I visit test.php in my browser, the CRON script is created. When it is run by customer.php it is not. The log looks identical.

I suspected that the reason for this is that the customer.php file is called by forwarding from a loading page, but when I set up the same type of forwarding for test.php, it worked.

The loading page code is simply like so:

<div id="processing">
    <i class='fa fa-spinner fa-pulse''></i>
    Hang tight...
</div>

<script>
   jQuery(document).ready(function() {
        document.location.href = "./customer.php";
   });
</script>

The loading page is also owned by root. The permissions on the files look like so:

-rw-r--r-- 1 root root 2630 Oct 18 00:26 loading.php
-rw-rw-r-- 1 root root 8995 Nov  4 00:16 customer.php
-rw-rw-r-- 1 root root 1352 Nov 17 04:34 cron.php
-rw-r--r-- 1 root root  286 Nov 17 04:50 test.php
-rwxr-xr-x 1 root root  129 Oct 18 00:26 addcron.sh

Searching the server logs for test123 and xyz2016 both turn up nothing.

What am I missing?

Bing
  • 3,071
  • 6
  • 42
  • 81
  • What supply the password to sudo? –  Nov 17 '16 at 08:00
  • I'm sorry, I'm not sure what you mean. – Bing Nov 17 '16 at 11:54
  • There is this line in your customer.php script: `$tmp = exec("sudo ./addcron.sh $custname", $output);`. How is sudo set up to get the password, or, is sudo set up to bypass the use of a password for the user that runs the script. It is usually a really bad idea running php as root. –  Nov 17 '16 at 20:17
  • Please [read this question](http://stackoverflow.com/q/7771586/6843677). –  Nov 17 '16 at 20:24
  • I'm already doing the user check. In one of my files I'm logging with the line: `saveLog("cron.php PRE custname= $custname by ".get_current_user());` That outputs as `cron.php PRE custname= test123 by root` – Bing Nov 18 '16 at 14:32

0 Answers0