Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PHP system() credentials

Posted on 2004-10-11
Medium Priority
Last Modified: 2008-02-01
I am writing a web-based application to shutdown/reboot WinXP boxes in a lab of 70 systems.

The application has a little GUI map of the lab, each system having a checkbox.  You check what you want to reboot, click GO, and a PHP script writes loops executing the Windows "shutdown" command to the remote systems.

Here's the problem:

The "shutdown" command works from a command prompt, but when running the exact same thing from PHP's system() function, it returns a "Access Denied."

So does PHP run programs under different credentials than the logged in user?  Does it use the IUSR_xxxx  account (when using IIS)?  Is there a way to give the system command more "authority"?

I have tried using "runas" with the shutdown command:  this also works from a command prompt but not the web page.

Any ideas?  Also, any alternate ideas?  (am i doing this the hard way?)
It just needs to be web-based, to do from anywhere.

Question by:mistagitar
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 48

Accepted Solution

hernst42 earned 1000 total points
ID: 12284117
Yes the command is run as IUSR_xxxx So does it work if you put that IUSR_xxxx into the Adminitrator group ??
LVL 40

Assisted Solution

by:Richard Quadling
Richard Quadling earned 1000 total points
ID: 12284566
Alternatively, change the user that the webserver runs as to be a normal user.


Expert Comment

ID: 12284948
make sure your script has ADMINISTRATIVE rights
LVL 40

Expert Comment

by:Richard Quadling
ID: 12285006
I think it is dangerous giving ANY sort of script Admin rights. And even worse a service which will run scripts!

All services should be given the minimum number of rights to do their job. Admin is WAY to powerful.

This is why the IUSR is so restricted.

You don't need to add Admin rights to shutdown the server.

The issue is that you want to shutdown the workstation though.

So. The easiest way is to configure the workstations to allow the AT Service to be accessed by the webserver user.

Then make sure you have time synchronised with the webserver.

Then you get SOON (from the Microsoft Resource Toolkit) and run it so that the shutdown command is run in say 15 seconds on the workstation.

Effectively, you are creating a task to run on the chosen workstation. The task is SHUTDOWN in 15 seconds.

LVL 40

Expert Comment

by:Richard Quadling
ID: 12285060

< 9:52 12/10/2004 C:\Program Files\Resource Kit>soon

SOON  :  Command Scheduling Utility

Usage : SOON [\\computername] [delay] [/INTERACTIVE] "command"
   or : SOON /D [/L:n] [/R:n] [/I:{ON|OFF}]

delay : the number of seconds from now when the scheduled job should start.

   /D : modify Default settings and/or display their current values.
   /L : set LocalDelay - default delay for Local jobs - initially 5 seconds.
   /R : set RemoteDelay - default delay for Remote jobs - initially 15 seconds.
   /I : set InteractiveAlways option - initially OFF.

SOON schedules a job to run in the near future, a number of seconds from now.
SOON closely resembles the AT command because SOON simply runs a suitable AT
command. For a details of the other arguments run "AT /?" without the quotes.

           SOON 10 CMD /C C:\JOBS\BATCH.CMD
           SOON \\SERVER 60 /C \JOBS\BATCH.CMD
           SOON /d /l:2 /r:30 /i:on

Current Settings :     InteractiveAlways = OFF
                    LocalDelay (seconds) = 5
                   RemoteDelay (seconds) = 15

< 9:53 12/10/2004 C:\Program Files\Resource Kit>AT /?
The AT command schedules commands and programs to run on a computer at
a specified time and date. The Schedule service must be running to use
the AT command.

AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
AT [\\computername] time [/INTERACTIVE]
    [ /EVERY:date[,...] | /NEXT:date[,...]] "command"

\\computername     Specifies a remote computer. Commands are scheduled on the
                   local computer if this parameter is omitted.
id                 Is an identification number assigned to a scheduled
/delete            Cancels a scheduled command. If id is omitted, all the
                   scheduled commands on the computer are canceled.
/yes               Used with cancel all jobs command when no further
                   confirmation is desired.
time               Specifies the time when command is to run.
/interactive       Allows the job to interact with the desktop of the user
                   who is logged on at the time the job runs.
/every:date[,...]  Runs the command on each specified day(s) of the week or
                   month. If date is omitted, the current day of the month
                   is assumed.
/next:date[,...]   Runs the specified command on the next occurrence of the
                   day (for example, next Thursday).  If date is omitted, the
                   current day of the month is assumed.
"command"          Is the Windows NT command, or batch program to be run.

So, assuming you have given IUSR persmission to access the local and remote AT service, you would issue a command like ...

SOON \\wortkstation_01 C:\Windows\System32\Shutdown.exe -s

There is also TSSHUTDN.

< 9:58 12/10/2004 C:\WINDOWS\system32>tsshutdn /?
Shut down a server in a controlled manner.

TSSHUTDN [wait_time] [/SERVER:servername] [/REBOOT] [/POWERDOWN]
         [/DELAY:logoffdelay] [/V]

  wait_time           Seconds to wait after user notification before
                      terminating all user sessions (default is 60).
  /SERVER:servername  The server to shut down (default is current).
  /REBOOT             Reboot the server after user sessions are terminated.
  /POWERDOWN          The server will prepare for powering off.
  /DELAY:logoffdelay  Seconds to wait after logging off all connected
                      sessions (default is 30).
  /V                  Display information about actions being performed.

All of these are command line programs you can launch. They all allow you to shutdown another system.

Obviously, the user running these tasks needs permission to the other machines to be able to do this.

If you are an admin user and these all work, then logout and log on as a non admin user. (VERY bad practise to run as an admin when working as a user).

Try these again.

If not working add yourself to the permissions list on the workstations for AT and I think RPC.

I'd try some of this out and if no further joy, ask in the Windows areas.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question