Execute Root Commands Via PHP

Execute root commands via PHP

Read this whole post before trying it out, there are choices to be made.

Solution using a binary wrapper (with suid bit)

1) Create a script (preferrably .sh) that contains what you want to be ran as root.

# cat > php_shell.sh <<CONTENT
  #!/bin/sh
  /sbin/service sshd restart
CONTENT

2) This file should be owned by root, and since it will later run with root permissions make sure that only root has permission to write to the file.

# chown root php_shell.sh
# chmod u=rwx,go=xr php_shell.sh

3) To run the script as root no matter what user that executes it, we will need a binary wrapper. Create one that will execute our php_shell.sh.

# cat > wrapper.c <<CONTENT
  #include <stdlib.h>
  #include <sys/types.h>
  #include <unistd.h>

  int
  main (int argc, char *argv[])
  {
     setuid (0);

     /* WARNING: Only use an absolute path to the script to execute,
      *          a malicious user might fool the binary and execute
      *          arbitary commands if not.
      * */

     system ("/bin/sh /path/to/php_shell.sh");

     return 0;
   }
CONTENT

4) Compile and set proper permissions, including the suid bit (saying that it should run with root privileges):

# gcc wrapper.c -o php_root
# chown root php_root
# chmod u=rwx,go=xr,+s php_root

php_root will now run with root permissions, and execute the commands specified in php_shell.sh.

If you don't need to the option to easily change what commands that will be executed I'd recommend you to write the commands directly in wrapper.c under step 4. Then you don't need to have a binary executing a external script executing the commands in question.

In wrapper.c, use system ("your shell command here"); to specify what commands you'd like to execute.

Run PHP shell_exec() like root user

Executing commands as root via PHP will leave yourself wide open to all sorts of malicious hackery.

Have a look at the "sudo" documentation.

You should be able to set up all the commands you need as "sudo"able scripts. It is much better to write specific scripts with limited functions than to expose the underlying priviledged command.

As in:

exec ('sudo getCurrentUser.sh')

First, you need to add the user that PHP is using to run (most of the time it is www-data) to the sudo group if it is not already assigned.

Then, in your php file:

use sudo -S, so you can pass the password via echo

$exec = "echo your_passwd | /usr/bin/sudo -S your command";
exec($exec,$out,$rcode);

if you have trouble with the paths - use

"bash -lc 'echo your_passwd | /usr/bin/sudo -S your command'"

so you get a new bash that acts like a login shell and has the paths set

run command as root via php

phpseclib should be best library choice as it does not requires any additional extensions.

<?php
include('Net/SSH2.php');

$ssh = new Net_SSH2('example.com');
if (!$ssh->login('user', 'pass')) {
    exit('Login Failed');
}

echo $ssh->exec('whoami');
echo $ssh->exec('pwd');
?>

Another alternative is libssh2, but it has to be compiled separately and is notoriously difficult to setup/use.

Run program that needs root access via PHP

I think changing script owner to www-data will make your script executable.

In Linux, use chown to change script owner

chown www-data file.txt

This will change file.txt owner to www-data

chown -R www-data /files/work

Recursively grant ownership of the directory /files/work, and all files and subdirectories, to user www-data.

Linux chown command details

In PHP, you can use chown function to change ownership

<?php

// File name and username to use
$file_name= "foo.php";
$path = "/home/sites/php.net/public_html/sandbox/" . $file_name ;
$user_name = "root";

// Set the user
chown($path, $user_name);

// Check the result
$stat = stat($path);
print_r(posix_getpwuid($stat['uid']));

?>

Php chown details

Execute Root Commands Via PHP