[nycphp-talk] Can't do PHP 'exec' for an rsync command via web server
David Roth
davidalanroth at gmail.com
Sun Jun 24 19:20:24 EDT 2012
# grep apache /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
You suggesting I change apache to just another user, like this?
apache:x:48:48:Apache:/var/www:/bin/bash
Maybe generate apache's own set of ssh keys to access the remote server for
rsync?
Thanks,
David Roth
On Sun, Jun 24, 2012 at 7:06 PM, Hans Zaunere <bulk at zaunere.com> wrote:
> Often the Apache user isn't created with a home directory etc. Check the
> passwd file to ensure its a full user with a home and shell?
>
> Security is another question :)
> On Jun 24, 2012 6:52 PM, "David Roth" <davidalanroth at gmail.com> wrote:
>
>>
>>
>> On Sun, Jun 24, 2012 at 11:50 AM, Hans Zaunere <bulk at zaunere.com> wrote:
>>
>>> > I'm developing a small utility web page to run on my own server which
>>> is
>>> > running CentOS 6.2 and Apache. PHP 5.3.3.
>>> >
>>> > I tried using from PHP the exec function and also system, but after
>>> checking
>>> > the results nothing is returned. However, when I ran a little fragment
>>> of
>>> > this PHP code from the command line, it worked fine. But it won't
>>> execute
>>> > and return anything when run from a web page.
>>> >
>>> > I have searched for an answer and have not been able to find a workable
>>> > solution to this. I looked and Safe Mode is off for PHP, as it is
>>> shipped
>>> > with CentOS. I've see forum postings about having Apache run as root,
>>> but
>>> > that's not secure. I was wondering if it was possible to put some
>>> specific
>>> > commands in sudoers like rsync for apache? That way maybe exec('sudo
>>> rsync
>>> > ...'); would work without promoting for a password?
>>> >
>>> > I'd greatly appreciate a solution from someone who has already been
>>> through
>>> > this. Thanks!
>>>
>>>
>>> Not necessarily a straightforward resolution to this, but some things
>>> to keep in mind:
>>>
>>> - ensure that the CLI and Apache versions of PHP are using the same
>>> php.ini and that they're logging to the same (or atleast some place
>>> that you know)
>>>
>>> - confirm that the logs don't confirm errors
>>>
>>> - use output buffering and system() to execute a command and debug
>>> what it returns
>>>
>>> - permissions are probably a concern which should be reflected in the
>>> above output
>>>
>>> Hopefully that helps a bit :)
>>>
>>> H
>>>
>>
>> Thanks for the suggestions. The plot thickens. :-)
>>
>> I decided to have system() execute a shell script to do the rsync to see
>> what happens. In the shell script I have 2>rsync_results to capture what is
>> going on. system() was returning 255:
>>
>> Could not create directory '/var/www/.ssh'.
>> Host key verification failed.
>> rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
>> rsync error: unexplained error (code 255) at io.c(600) [receiver=3.0.6]
>>
>> I also added this to the last line of the sudoers file:
>> apache ALL=(ALL) NOPASSWD: ALL
>>
>> Yes, I know that's not secure and it should just be for the rsync command
>> only, but I tried that first to see if it made any difference at all, but
>> it doesn't.
>>
>> The rsync error output of "Could not create directory '/var/www/.ssh'."
>> to me at least reveals that the Apache server doesn't have root access and
>> is operating as user apache, not root. Is my sudoers file wrong? Keep in
>> mind, if I run this shell script from the command line as root, it works.
>> If I run the php script from the command line as root it also works.
>>
>> There is no .ssh in /var/www/.ssh nor should there be. The .ssh for root
>> is located in /root.
>>
>> It appears this has to do with permissions, but I'm not sure how to do
>> this properly. Thanks!
>>
>> David Roth
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120624/acb1756d/attachment.html>
More information about the talk
mailing list