NYCPHP Meetup

NYPHP.org

[nycphp-talk] Can't do PHP 'exec' for an rsync command via web server

Hans Zaunere bulk at zaunere.com
Sun Jun 24 19:06:58 EDT 2012


Often the Apache user isn't created with a home directory etc.  Check the
passwd file to ensure its a full user with a home and shell?

Security is another question :)
On Jun 24, 2012 6:52 PM, "David Roth" <davidalanroth at gmail.com> wrote:

>
>
> On Sun, Jun 24, 2012 at 11:50 AM, Hans Zaunere <bulk at zaunere.com> wrote:
>
>> > I'm developing a small utility web page to run on my own server which is
>> > running CentOS 6.2 and Apache. PHP 5.3.3.
>> >
>> > I tried using from PHP the exec function and also system, but after
>> checking
>> > the results nothing is returned. However, when I ran a little fragment
>> of
>> > this PHP code from the command line, it worked fine. But it won't
>> execute
>> > and return anything when run from a web page.
>> >
>> > I have searched for an answer and have not been able to find a workable
>> > solution to this. I looked and Safe Mode is off for PHP, as it is
>> shipped
>> > with CentOS. I've see forum postings about having Apache run as root,
>> but
>> > that's not secure. I was wondering if it was possible to put some
>> specific
>> > commands in sudoers like rsync for apache? That way maybe exec('sudo
>> rsync
>> > ...'); would work without promoting for a password?
>> >
>> > I'd greatly appreciate a solution from someone who has already been
>> through
>> > this. Thanks!
>>
>>
>> Not necessarily a straightforward resolution to this, but some things
>> to keep in mind:
>>
>> - ensure that the CLI and Apache versions of PHP are using the same
>> php.ini and that they're logging to the same (or atleast some place
>> that you know)
>>
>> - confirm that the logs don't confirm errors
>>
>> - use output buffering and system() to execute a command and debug
>> what it returns
>>
>> - permissions are probably a concern which should be reflected in the
>> above output
>>
>> Hopefully that helps a bit :)
>>
>> H
>>
>
> Thanks for the suggestions. The plot thickens. :-)
>
> I decided to have system() execute a shell script to do the rsync to see
> what happens. In the shell script I have 2>rsync_results to capture what is
> going on. system() was returning 255:
>
> Could not create directory '/var/www/.ssh'.
> Host key verification failed.
> rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
> rsync error: unexplained error (code 255) at io.c(600) [receiver=3.0.6]
>
> I also added this to the last line of the sudoers file:
> apache ALL=(ALL) NOPASSWD: ALL
>
> Yes, I know that's not secure and it should just be for the rsync command
> only, but I tried that first to see if it made any difference at all, but
> it doesn't.
>
> The rsync error output of "Could not create directory '/var/www/.ssh'." to
> me at least reveals that the Apache server doesn't have root access and is
> operating as user apache, not root. Is my sudoers file wrong? Keep in mind,
> if I run this shell script from the command line as root, it works. If I
> run the php script from the command line as root it also works.
>
> There is no .ssh in /var/www/.ssh nor should there be. The .ssh for root
> is located in /root.
>
> It appears this has to do with permissions, but I'm not sure how to do
> this properly. Thanks!
>
> David Roth
>
>
>
>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show-participation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120624/63c2e3b0/attachment.html>


More information about the talk mailing list