mando222 mando222 - 6 months ago 15x
PHP Question

How to run a script from apache user in non owned folder?

I have found many questions that do this through opening up huge holes in permissions or changing user ownership of files. For my current application neither of those is an option. What I am trying to do is use a shell_exec or similar php function to run a .sh script in a totally different folder on my system when a button is clicked on my webpage. The script has to be run from the folder it is in. I am on debian and have installed sudo to allow apache user to run the command by adding these lines:

www-data ALL=(ALL) NOPASSWD:/opt/folder/ start
www-data ALL=(ALL) NOPASSWD:/opt/folder/ stop
www-data ALL=(ALL) NOPASSWD:/opt/folder/ status

The is not something I am allowd to edit so I have to manage this on the apache end if possible. I am not allowed to change the permissions or ownership of So you can see my dilemma. The php call i am using looks like this:

$test=shell_exec('cd /opt/folder/ && ./ start&& cd -');

I am using $test to echo the output from the command. Here is where it gets strange. There is good output from the command. The script is used to start and stop a list of other programs and display their statuses. I can run
./ status
and get a good result back in the $test variable. If I try
./ stop
it says it worked (I am pretty sure the script doesn't have much checking built in) but then nothing actually happens on the system. I can run a
ps -ef | grep
as a sanity check and see all the processes that were supposed to be stopped. It is the same if I run the
./ start
but it will return that none of the programs started.

So all that said, I am just trying to figure out what I am doing wrong. I am sure the php is running the bash script, but for some reason doesn't have the ability to actually run any of the start or stop commands in the script. I can fully run as root from the OS as well. I am really at the end of my rope on this one so any help is extremely appreciated. If this is not even possible then is there an alternative that dosen't require an additional program installation.


So after a few more attempts I decided to save this for later. I realized that although I was allowing the apache user to run the script as root I hadn't actully told it to. To fix this I made the change

$test=shell_exec('cd /opt/folder/  && sudo ./ start&& cd -');

The added sudo now tells the script to run as root and the entries in visudo allow it to do so without asking for a password. I did change my visodu file to be a bit more slimmed down so now it just has one line.

www-data ALL=(ALL) NOPASSWD:/opt/folder/

This fits both the security requirements and the user constraints. There are almost no attack vectors open as a chmod 777 or the like would cause and the apache user only has access to the script with the hard coded perameters it contains.