parturi
asked on
How to execute commands in php under apache
Hello.
I am trying to make my daily work a little bit more easy. I am trying to automate some things that I do all days and started looking a way with php+apache. The problem is that apache runs under apache user and group, and anything I try to execute in the server is being executed by the user apache. So, I won't be able for example, to crate a directory.
I know apache has mkdir function os something like that, but I just gave you the "create directory" as an example, what I need to execute are lot of commands. Even, I will need to restart daemons like named or httpd, or mysql.
I tried a lot of ways but, all php code is being executed as apache user.
Any help will be apreciated.
Thanks
Pablo
I am trying to make my daily work a little bit more easy. I am trying to automate some things that I do all days and started looking a way with php+apache. The problem is that apache runs under apache user and group, and anything I try to execute in the server is being executed by the user apache. So, I won't be able for example, to crate a directory.
I know apache has mkdir function os something like that, but I just gave you the "create directory" as an example, what I need to execute are lot of commands. Even, I will need to restart daemons like named or httpd, or mysql.
I tried a lot of ways but, all php code is being executed as apache user.
Any help will be apreciated.
Thanks
Pablo
you could give the user "apache" root access - probably not a good idea, but would work
or you could give "777" permission to whatever folders that "apache" needs to modify/work in
another thing you might consider trying is running an excpect script, have the script log in as a higher priority user, perform whatever commands need to be performed, then log out.
or you could give "777" permission to whatever folders that "apache" needs to modify/work in
another thing you might consider trying is running an excpect script, have the script log in as a higher priority user, perform whatever commands need to be performed, then log out.
ASKER
Thanks for answering guys!
philjones85, I won't want 777 permissions to whatever folder is going to be modified. And giving apache root access is extreme dangerours, and even if I want to do that, I have to recompile apache, by default apache won't let you do that. The other suggestion, I don't understand, I am very new at linux-apache.
Mercantilum, I have a couple of questions regarding your option (which I think it could be a solution) if I understood well what it does.
>> - php has to be called from cgi
Supouse I do a form. It means I will have to set the action to the cgi, and set the cgi to call the php page?
>>1. make this small c program called cgiwrapper.c
>>To get the user id of php for instance, do
>>grep php /etc/passwd
>>This is the first number, e.g.
>>php:x:123:...
>>Below uid_for_php would be 123
is it the same uid as if I type the comand "id root" ? because I don't have the user php in /etc/passwd, I just used that file to add protected web directories.
uid_for_php which you set it in the example as 123, it must be the uid for root in order to execute commands as root?
This script wil take arguments and pass them to the php page? which one will be executed with the uid I set?
Sorry if I do stupid question, but I can't understand very well "concepts" yet, I am coming from a windows enviroment, so.. understand me :))
based on the effort, I will give you more points.
Thank you very much!
Pablo
philjones85, I won't want 777 permissions to whatever folder is going to be modified. And giving apache root access is extreme dangerours, and even if I want to do that, I have to recompile apache, by default apache won't let you do that. The other suggestion, I don't understand, I am very new at linux-apache.
Mercantilum, I have a couple of questions regarding your option (which I think it could be a solution) if I understood well what it does.
>> - php has to be called from cgi
Supouse I do a form. It means I will have to set the action to the cgi, and set the cgi to call the php page?
>>1. make this small c program called cgiwrapper.c
>>To get the user id of php for instance, do
>>grep php /etc/passwd
>>This is the first number, e.g.
>>php:x:123:...
>>Below uid_for_php would be 123
is it the same uid as if I type the comand "id root" ? because I don't have the user php in /etc/passwd, I just used that file to add protected web directories.
uid_for_php which you set it in the example as 123, it must be the uid for root in order to execute commands as root?
This script wil take arguments and pass them to the php page? which one will be executed with the uid I set?
Sorry if I do stupid question, but I can't understand very well "concepts" yet, I am coming from a windows enviroment, so.. understand me :))
based on the effort, I will give you more points.
Thank you very much!
Pablo
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mercantilum, I told you I will give you more points. When I close the question, I wasn't able to do it. I am going to ask some more things here! Thanks again
- php has to be called from cgi
- the small wrapper will actually execute your php script
1. make this small c program called cgiwrapper.c
To get the user id of php for instance, do
grep php /etc/passwd
This is the first number, e.g.
php:x:123:...
Below uid_for_php would be 123
-------------
#include <unistd.h>
char *prog="pathtoyourphp";
main (int argc, char **argv)
{
argv[0] = prog;
setuid (uid_for_php);
execv(*argv, argv);
}
-------------
2. compile and set attributes as root (cgiwrapper should be either in your cgi-bin dir (called by apache directly) or called by your actual apache cgi
# you are root...
gcc -O2 cgiwrapper.c -o cgiwrapper
# just in case
chown root cgiwrapper
# set the setuid bit
chmod 4755 cgiwrapper
When cgiwrapper is called, user becomes uid_for_php and it calls 'prog' giving the arguments initially given to cgiwrapper.
3. to test your wrapper
# Put something like '/bin/bash' in 'prog' in your .c program (replace pathtoyourphp)
# recompile , set access rights as 2. above
# just be yourself :) (under your own id, eg. parturi)
# do
./cgiwrapper
# you should have opened a new bash ... do
id
# you should see your php id (123) for "uid="
After the test, update your cgiwrapper.c again with the actual php program/script to be run in 'prog', and step 2. again
Some people don't like much to have a setuid-program... this one is very simple and short.
The worst that could happen is executing something as 'php' user... not worse than with 'apache' user ;-)