PHP system() credentials

I am writing a web-based application to shutdown/reboot WinXP boxes in a lab of 70 systems.

The application has a little GUI map of the lab, each system having a checkbox.  You check what you want to reboot, click GO, and a PHP script writes loops executing the Windows "shutdown" command to the remote systems.

Here's the problem:

The "shutdown" command works from a command prompt, but when running the exact same thing from PHP's system() function, it returns a "Access Denied."

So does PHP run programs under different credentials than the logged in user?  Does it use the IUSR_xxxx  account (when using IIS)?  Is there a way to give the system command more "authority"?

I have tried using "runas" with the shutdown command:  this also works from a command prompt but not the web page.

Any ideas?  Also, any alternate ideas?  (am i doing this the hard way?)
It just needs to be web-based, to do from anywhere.

Who is Participating?
hernst42Connect With a Mentor Commented:
Yes the command is run as IUSR_xxxx So does it work if you put that IUSR_xxxx into the Adminitrator group ??
Richard QuadlingConnect With a Mentor Senior Software DeveloperCommented:
Alternatively, change the user that the webserver runs as to be a normal user.

make sure your script has ADMINISTRATIVE rights
Richard QuadlingSenior Software DeveloperCommented:
I think it is dangerous giving ANY sort of script Admin rights. And even worse a service which will run scripts!

All services should be given the minimum number of rights to do their job. Admin is WAY to powerful.

This is why the IUSR is so restricted.

You don't need to add Admin rights to shutdown the server.

The issue is that you want to shutdown the workstation though.

So. The easiest way is to configure the workstations to allow the AT Service to be accessed by the webserver user.

Then make sure you have time synchronised with the webserver.

Then you get SOON (from the Microsoft Resource Toolkit) and run it so that the shutdown command is run in say 15 seconds on the workstation.

Effectively, you are creating a task to run on the chosen workstation. The task is SHUTDOWN in 15 seconds.

Richard QuadlingSenior Software DeveloperCommented:

< 9:52 12/10/2004 C:\Program Files\Resource Kit>soon

SOON  :  Command Scheduling Utility

Usage : SOON [\\computername] [delay] [/INTERACTIVE] "command"
   or : SOON /D [/L:n] [/R:n] [/I:{ON|OFF}]

delay : the number of seconds from now when the scheduled job should start.

   /D : modify Default settings and/or display their current values.
   /L : set LocalDelay - default delay for Local jobs - initially 5 seconds.
   /R : set RemoteDelay - default delay for Remote jobs - initially 15 seconds.
   /I : set InteractiveAlways option - initially OFF.

SOON schedules a job to run in the near future, a number of seconds from now.
SOON closely resembles the AT command because SOON simply runs a suitable AT
command. For a details of the other arguments run "AT /?" without the quotes.

           SOON 10 CMD /C C:\JOBS\BATCH.CMD
           SOON \\SERVER 60 /C \JOBS\BATCH.CMD
           SOON /d /l:2 /r:30 /i:on

Current Settings :     InteractiveAlways = OFF
                    LocalDelay (seconds) = 5
                   RemoteDelay (seconds) = 15

< 9:53 12/10/2004 C:\Program Files\Resource Kit>AT /?
The AT command schedules commands and programs to run on a computer at
a specified time and date. The Schedule service must be running to use
the AT command.

AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
AT [\\computername] time [/INTERACTIVE]
    [ /EVERY:date[,...] | /NEXT:date[,...]] "command"

\\computername     Specifies a remote computer. Commands are scheduled on the
                   local computer if this parameter is omitted.
id                 Is an identification number assigned to a scheduled
/delete            Cancels a scheduled command. If id is omitted, all the
                   scheduled commands on the computer are canceled.
/yes               Used with cancel all jobs command when no further
                   confirmation is desired.
time               Specifies the time when command is to run.
/interactive       Allows the job to interact with the desktop of the user
                   who is logged on at the time the job runs.
/every:date[,...]  Runs the command on each specified day(s) of the week or
                   month. If date is omitted, the current day of the month
                   is assumed.
/next:date[,...]   Runs the specified command on the next occurrence of the
                   day (for example, next Thursday).  If date is omitted, the
                   current day of the month is assumed.
"command"          Is the Windows NT command, or batch program to be run.

So, assuming you have given IUSR persmission to access the local and remote AT service, you would issue a command like ...

SOON \\wortkstation_01 C:\Windows\System32\Shutdown.exe -s

There is also TSSHUTDN.

< 9:58 12/10/2004 C:\WINDOWS\system32>tsshutdn /?
Shut down a server in a controlled manner.

TSSHUTDN [wait_time] [/SERVER:servername] [/REBOOT] [/POWERDOWN]
         [/DELAY:logoffdelay] [/V]

  wait_time           Seconds to wait after user notification before
                      terminating all user sessions (default is 60).
  /SERVER:servername  The server to shut down (default is current).
  /REBOOT             Reboot the server after user sessions are terminated.
  /POWERDOWN          The server will prepare for powering off.
  /DELAY:logoffdelay  Seconds to wait after logging off all connected
                      sessions (default is 30).
  /V                  Display information about actions being performed.

All of these are command line programs you can launch. They all allow you to shutdown another system.

Obviously, the user running these tasks needs permission to the other machines to be able to do this.

If you are an admin user and these all work, then logout and log on as a non admin user. (VERY bad practise to run as an admin when working as a user).

Try these again.

If not working add yourself to the permissions list on the workstations for AT and I think RPC.

I'd try some of this out and if no further joy, ask in the Windows areas.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.