How can I have a PHP script run a shell script as

2020-03-27 11:24发布

Running Fedora 9/10, Apache 2, PHP 5...

Can I run a shell script as root, from a PHP script using exec()?

Do I just give Apache root priveleges, and then add "sudo" in front of them command?

Specifically, I'm trying to start and stop a background script.

Currently I have a shell script that just runs the app, start.sh:

#!/bin/bash 
/path/to/my/app/appname

And a script that kills the app, stop.sh:

#!/bin/bash 
killall appname

Would I just do:

<?php
exec("sudo start.sh");
?>

Thanks in advance.

7条回答
你好瞎i
2楼-- · 2020-03-27 11:41

You can't just sudo like that, you need to setup passwordless sudo first in /etc/sudoers file. This can be done with visudo command for example. Make sure you set up privileges in sudoers file in such way to constrain the apache user to that single command you wish to run (i.e. your shell script).

Even then, it poses a security risk, because anyone could create a PHP script and run your shell script in turn. So make sure that shell script itself is secure from alteration by Apache user.

The second part, killall, is even more problematic. You shouldn't just allow Apache to run killall with root privileges. You should wrap killall in another shell script and grant access to that in sudoers.

In the end: do not run Apache with root account and do not use setuid. Both open a can of worms, and since you are a newbie (given the question you asked) you are very likely to miss some of small details that would create potential problems.

查看更多
爷、活的狠高调
3楼-- · 2020-03-27 11:43

You don't want to give Apache root.

There's another solution to your problem. The problem is that Apache cannot kill the process because it is owned by root. What you can do is change the owner to 'www-data' which is what Apache is identified as.

If the process is a service and starts up on boot you can add the

sudo -u www-data <start-up script>

so that www-data would be the owner of that process and hence running the shut-down script would work.

查看更多
Luminary・发光体
4楼-- · 2020-03-27 11:44

As requested, here's the python server...

#!/usr/bin/python
import os 
import socket
print "  Loading Bindings..."
settings = {}
line = 0 
for each in open('/path/to/actions.txt', 'r'):
 line = line + 1
  each = each.rstrip()
  if each <> "":
    if each[0] <> '#':
      a = each.partition(':')
      if a[2]:
        settings[a[0]] = a[2]
      else:
        print "    Err @ line",line,":",each
print "  Starting Server...",
port = 12345
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.bind(("", port))
print "OK."
print "  Listening on port:", port
while True:
    datagram = s.recv(1024)
    if not datagram:
        break
    print "Rx Cmd:", datagram
    if settings.has_key(datagram):
      print "Launch:", settings[datagram]
      os.system(settings[datagram]+" &")
s.close() 

The config file "actions.txt" uses the format "action-name:corresponding-shell-command" i.e.

# Hash denotes a comment
webroot:nautilus /var/www
ftp:filezilla
edit_homepage:gedit /var/www/homepage/htdocs/index.php

This code doesn't check the originating IP of the incoming UDP packets as I have it running on localhost, I am firewalled of from anyone else and checking would provide no protection against spoofing anyway.

I don't have time to rewrite it to use TCP/IP but Python is a language that's worth getting to know so if you really want that functionality I'll leave it to you to have a google for 'Python' and 'SOCK_STREAM'. It's probably not worth your trouble though, it's easier to configure your firewall so that no spoofed localhost packets can get through and modify the code to make sure it only listens to packets from the loopback.

查看更多
The star\"
5楼-- · 2020-03-27 11:46

You could consider using an ssh connection to localhost with keepair authentication to an account that has root permissions. In such a setup you won't need root access for your webserver.

查看更多
我欲成王,谁敢阻挡
6楼-- · 2020-03-27 11:47
  1. Don't run Apache as root. Apache has been designed to cope very well with starting as root and then dropping its privileges just as soon as it can

  2. Don't use sudo within your script either - it'll be too easy to end up with sudo misconfigured such that any script running on your server gets to run any program it likes with root privileges

  3. Look at making your own program run "setuid", so that it gets root privileges, but then drops them (just like Apache does) when it doesn't need them any more

  4. Make sure your "setuid" executable can't be run by anybody who isn't supposed to be able to run it.

查看更多
在下西门庆
7楼-- · 2020-03-27 11:50

I'm not professional in this field, but it looks like you need SUID flag.

Read here for examples or google

查看更多
登录 后发表回答