1

I'm editing a zone file /var/named/rpz.local and need to reload rndc after I've done by this command:

cd /var/named
rndc reload rpz.local

everything is great with cli as root user but the problem is I can't run /usr/sbin/rndc by nginx (PHP). so would you please give me a clue?

I can run this:

$Output = shell_exec("uptime");
print($Output);

but if I run this command the output is null: system('rndc reload'); or shell_exec('rndc relad'); It seems I can't access rndc because I even can't run: rndc status altough if I run this:

system(`uptime`); // Sun Aug 20 22:36:51 +0330 2023
$Test = shell_exec(`rndc status`); // return nothing
print($Test);
system('uptime');//  00:28:03 up 18 days, 10:47,  2 users,  load average: 0.00, 0.02, 0.05

I have the result of uptime and uptime command. But there is nothing for shell_exec('rndc reload'). I also did below command but it didn't work:

setfacl -m u:nginx:rwx rpz.local
setfacl -m u:nginx:rwx /usr/sbin/rndc
GameO7er
  • 2,028
  • 1
  • 18
  • 33

2 Answers2

2

everything is great with cli as root user but the problem is I can't run I can't run /usr/sbin/rndc by nginx (PHP). so would you please give me a clue?

If your PHP within Nginx would run as root, you would have one serious problem, and then many more.

Consult your operational manual about the role of the root user and what it is for. Then administer the system accordingly.

Or in short: Only you can do something as root must not mean you should do it from inside PHP. Understand why. Really. Seriously.

If you can't, contact a responsible sysadmin that knows the system you're operating with and clarify the requirements person-to-person.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • nginx is not sudoer. although I added it to sudoer but the result was same, then I removed nginx from sudoer list. the problem is I haven't any error log so I don't have any clue. That's why I'm asking here. at leas give me a clue :) beside it was working fine on "CentOS 7" but no idea why it doesn't on "Rocky OS" – GameO7er Aug 21 '23 at 10:56
  • Again, you first should understand why. This is no 5 minute debugging, start learning the topic, and if there are differences between CentOS7 and Rock OS, learn about the differences first. You should not circumvent the system administration, as if you do, you will loose it. Instead configure the system to the needs. This is out of scope as a programming question. – hakre Aug 21 '23 at 11:45
1

The problem has been solved. How? I got NULL when tried to run rndc command. So as mentioned this post I changed my command to this:

$Test = shell_exec(`rndc reload rpz.local 2>&1`); // return permission denied for rndc.key file
print($Test);

so I did :

setfacl -m u:nginx:rwx /etc/rndc.key

and the problem solved.

Thank you so much dear @hake

P.S as @hake mentioned, this is wrong that we run nginx as sudoer or add nginx to sudoer group so don't make mistake, although it's okay for debugging and testing (1-2 hours not more).

GameO7er
  • 2,028
  • 1
  • 18
  • 33