NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

Michele Waldman mmwaldman at nyc.rr.com
Fri Jul 31 20:15:35 EDT 2009


I didn't see anything in /var/log/messages.

Michele

> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> On Behalf Of Leam Hall
> Sent: Friday, July 31, 2009 7:58 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] SSH2_CONNECT
> 
> Hey Michele.
> 
> Can you edit /etc/sudoers? You might be able to give it the NOPASSWD
> option, to at least shorten it a bit.
> 
> Can you read /var/log/messages and the web server log to see if they say
> anything?
> 
> Leam
> 
> Michele Waldman wrote:
> > So I rewrote the code in bash due to my client's concern about
> bandwidth.
> >
> > Here's my new problem:
> > $msg = exec("echo $password | sudo /home/user/site_util/copy_sites $id
> 2>
> > /dev/null");
> >
> > The script isn't running.
> >
> > Since it's running from http, I modified the user nobody to have
> /bin/bash
> > in /etc/passwd and gave the user a password.
> >
> > I can login to the server as nobody and run this code on the command
> line.
> > Works fine.
> >
> > Does anyone know why this execute isn't working in php?
> >
> > Michele
> >
> >> -----Original Message-----
> >> From: talk-bounces at lists.nyphp.org [mailto:talk-
> bounces at lists.nyphp.org]
> >> On Behalf Of Kenneth Dombrowski
> >> Sent: Friday, July 31, 2009 7:33 AM
> >> To: NYPHP Talk
> >> Subject: Re: [nycphp-talk] SSH2_CONNECT
> >>
> >> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
> >>> Most probably your PHP script will be running under the same username
> as
> >>> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
> >>> wouldn't want to give www or nobody sudo privilege anyway!).
> >> All this talk about sudo not working made me curious -- why shouldn't
> it
> >> work?  It will, and a well configured sudo offers a very fine level of
> >> control -- though whether one wants to do it is another question
> >>
> >> # visudo
> >> Defaults:www-data       !lecture
> >> Defaults:www-data       !authenticate
> >> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
> >>
> >> The first two lines get rid of sudo's usual prompts, since it will
> never
> >> run interactively, & the last specifies a single command + argument
> >> www-data is allowed to run as kenneth (you can use shell-style globs)
> >>
> >> # sudo.php
> >> <?php
> >> header('Content-type: text/plain');
> >> $f = '/tmp/sudoer.apache';
> >> system("sudo -u kenneth /usr/bin/touch $f");
> >> print "\n$f exists? " . (bool) file_exists($f);
> >>
> >> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
> >>    /tmp/sudoer.apache exists? 1
> >> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
> >> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
> >>
> >> So on debian, www-data successfully created a file as kenneth.  On
> FreeBSD
> >> I think www/nobody/whatever has a /bin/false shell, so there it won't
> >> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
> >> somebody will tell me you shouldn't do it at all, but its not due to a
> >> technical limitation
> >>
> >>
> >> _______________________________________________
> >> New York PHP User Group Community Talk Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/talk
> >>
> >> http://www.nyphp.org/show_participation.php
> >
> > _______________________________________________
> > New York PHP User Group Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > http://www.nyphp.org/show_participation.php
> >
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/show_participation.php




More information about the talk mailing list