Run bash script from PHP script

Question

I am running an Apache server on CentOS and need to run some bash scripts from PHP page. Running commands which do NOT need write or execute permission from PHP file works fine (for example shell_exec('ls /var/www/html/scripts/')), but I have problem running the commands that do need write or execute permission. For example this commands does nothing:

<?php
   $output = shell_exec('/var/www/html/scripts/test.sh');
   echo $output;
?>

I made apache user owner and granted necessary permissions to scripts directory:

drwxr-xr-x. 2 apache apache   21 Jun  3 09:54 scripts

and test.sh file as can be seen, but there was no lock.

-rwxr-xr-x. 1 apache apache 51 Jun  3 09:54 test.sh

I also tried to sudo the command in PHP file and added the line below to the end of Sudoers file, but nothing changed.

apache ALL=NOPASSWD: /var/www/html/scripts/test.sh

Also I checked PHP safe_mode which is off and there is no restriction in php.ini file:

disable_functions =

Your kind help would be highly appreciated.

NOTE:

I edited my bash script and added sudo like below:

#!/bin/bash
echo "Hi from test.sh";
sudo touch /var/www/html/scripts/file.log;

Now when I run the file as apache user using this command, it runs successfully:

su -s /bin/sh apache -c "/var/www/html/scripts/test.sh"

But through the php web page it only runs echo "Hi from test.sh"; line. When I check logs, there are lines below for running command above:

su: pam_unix(su:session): session opened for user apache by root(uid=0)
sudo:  apache : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/bin/touch fromweb.log
su: pam_unix(su:session): session closed for user apache

And the generated log when running from php web page:

sudo:  apache : TTY=unknown ; PWD=/var/www/html/scripts ; USER=root ; COMMAND=/bin/touch fromweb.log

Missing pam_unix(su:session) open and close.

@JazZ No special error message as the error reporting is off but when I run the bash file from command prompt the following error occurs: su -s /bin/sh apache -c "scripts/test.sh" Hi from test.sh touch: cannot touch ‘file.log’: Permission denied — Reza, Jun 03 '17 at 08:31
What does the `test.sh` look like ? If it does not have a "shebang", you'll have to do `shell_exec('sh /var/www/html/scripts/test.sh');` for the shell know you want to run the file as a bash script. — JazZ, Jun 03 '17 at 08:33
@JazZ the user seems to be apache as the return of this PHP script is "apache": — Reza, Jun 03 '17 at 08:34
So you'll need to grant permission to "apache" to write in the directory where the "file.log" has to be create. — JazZ, Jun 03 '17 at 08:35
@JazZ test.sh contents: #!/bin/bash echo "Hi from test.sh"; touch file.log; — Reza, Jun 03 '17 at 08:36
I granted permission to scriptes directory where the file is expected to be created but there was no luck! drwxrwxrwx. 2 apache apache 21 Jun 3 09:54 scripts — Reza, Jun 03 '17 at 08:37
Done @JazZ but the result is the same! chmod 777 scripts/test.sh -rwxrwxrwx. 1 apache apache 51 Jun 3 09:54 test.sh — Reza, Jun 03 '17 at 08:42
Possible duplicate of [Run Bash Command from PHP](https://stackoverflow.com/questions/11052162/run-bash-command-from-php) — geisterfurz007, Jun 03 '17 at 08:44
[Another candidate](https://stackoverflow.com/q/17151946/6707985) and [one from askUbuntu](https://askubuntu.com/q/432767) — geisterfurz007, Jun 03 '17 at 08:48
Note: I chaged the PHP script to shell_exec('sh /var/www/html/scripts/test.sh'); as @JazZ advised, this time, Hi from test.sh appeared in the output, but still failed to run second line of bash. — Reza, Jun 03 '17 at 08:49
Could you run `phpinfo()` from your website and check the value of `APACHE_RUN_USER` ? — JazZ, Jun 03 '17 at 08:49
No APACHE_RUN_USER field in PHP Info output, but User/Group: apache(48)/48. If they are the same. — Reza, Jun 03 '17 at 08:56
Thanks @geisterfurz007 for the links, but I already tried them. It seems that the root cause if different. — Reza, Jun 03 '17 at 09:02
@HamidReza alright then :) Retracted the dupe flag. Hint for the next time: If you tried them, link them in your question so that people can see that you did ;) — geisterfurz007, Jun 03 '17 at 09:03
See this link please https://stackoverflow.com/questions/5356167/apache-user-does-not-exist. Did you received error when set the owner of the directory to apache user ? — JazZ, Jun 03 '17 at 09:24
You could take a look at the error logs too. Maybe precious information waiting for you there. — JazZ, Jun 03 '17 at 09:26
@JazZ I think there is a misunderstanding, Apache user exists and I can grant permission for it successfully. The "APACHE_RUN_USER" field does not exist in phpinfo() output. Instead it says User/Group: apache(48)/48 — Reza, Jun 03 '17 at 09:51
@JazZ I added a Note to my question. Could you please check it? — Reza, Jun 03 '17 at 10:18
You don't have to `sudo` if apache is the owner of the directory. And form the script running by php, `su` is not used too. Your script runs well. I just test it. Could you take a look in the `/var/log/apache2/error.log` file, please ? — JazZ, Jun 03 '17 at 10:27
This is the only log that I get: touch: cannot touch '/var/www/html/scripts/file.log': Permission denied — Reza, Jun 03 '17 at 10:43

score 1 · Accepted Answer · answered Jun 03 '17 at 11:56

1

I found what the issue was. It was because of Linux SELinux feature. This feature applies a least-privilege policy and denies any unnecessary command from running on Linux. The bash script is running successfully after disabling this feature. To do so, edit the file /etc/selinux/config and change SELINUX=enforcing to SELINUX=disabled and reboot the system. THIS IS NOT RECOMMENDED FOR SECURITY REASONS, however. You may check the link below to only create some exceptions rather than completely disabling SELinux.

https://wiki.centos.org/HowTos/SELinux

answered Jun 03 '17 at 11:56

Reza

179
1
5
12

Great ! Thanks for post your solution. Good luck. – JazZ Jun 03 '17 at 13:05
@JazZ Thanks for your help – Reza Jun 04 '17 at 07:25
Welcome sorry can't lead you to this solution. – JazZ Jun 04 '17 at 08:02

Run bash script from PHP script

1 Answers1