How to Run from PHP a Bash Script Under Root User

How to run from PHP a bash script under root user

You can use sudo:

exec("sudo /your/script");

You should allow executing your script without password prompt. Run sudo visudo in console and add the following string to the end:

nobody ALL = NOPASSWD: /your/script

You must set up file mode properly to ensure that no one can modify this script and put dangerous contents into it (in root console):

chown root:root /your/script
chmod 755 /your/script

run bash script as root from php page

This question is similar to sudo in php exec() and they did not arrive at a conclusion.

In your case, since only one bash script needs to be executed in this fashion, considering using setuid instead:

$ su
[enter password]
chown root:root something.sh
chmod 4755 something.sh
exit

Note: Some Linux distributions disable setuid for shell scripts by default for security reasons.

Update: Apparently no commonly used Linux distribution today allows setuid on shell scripts. Perl used to be the exception, but suid-perl is now deprecated.

The only way to execute your bash script using this method is to invoke it from a compiled binary. See the example with the C code on how to do this.

Run PHP shell_exec() like root user

Executing commands as root via PHP will leave yourself wide open to all sorts of malicious hackery.

Have a look at the "sudo" documentation.

You should be able to set up all the commands you need as "sudo"able scripts. It is much better to write specific scripts with limited functions than to expose the underlying priviledged command.

As in:

exec ('sudo getCurrentUser.sh')

First, you need to add the user that PHP is using to run (most of the time it is www-data) to the sudo group if it is not already assigned.

Then, in your php file:

use sudo -S, so you can pass the password via echo

$exec = "echo your_passwd | /usr/bin/sudo -S your command";
exec($exec,$out,$rcode);

if you have trouble with the paths - use

"bash -lc 'echo your_passwd | /usr/bin/sudo -S your command'"

so you get a new bash that acts like a login shell and has the paths set

How can I have a PHP script run a shell script as root?

You can't just sudo like that, you need to setup passwordless sudo first in /etc/sudoers file. This can be done with visudo command for example. Make sure you set up privileges in sudoers file in such way to constrain the apache user to that single command you wish to run (i.e. your shell script).

Even then, it poses a security risk, because anyone could create a PHP script and run your shell script in turn. So make sure that shell script itself is secure from alteration by Apache user.

The second part, killall, is even more problematic. You shouldn't just allow Apache to run killall with root privileges. You should wrap killall in another shell script and grant access to that in sudoers.

In the end: do not run Apache with root account and do not use setuid. Both open a can of worms, and since you are a newbie (given the question you asked) you are very likely to miss some of small details that would create potential problems.

Running some parts of the script with root and other parts with normal user

You need the non-evaluated user in some variable.

How you want to do this depends on your actual use case.

You can look at:

Nasty temp file:

echo "$USER" >  /tmp/thatsme.tmp
su -
# Hmm, now hope nobody has changed the tmpfile doing the same trick
orguser=$(cat /tmp/thatsme.tmp)
rm /tmp/thatsme.tmp

Keep environment

export orguser="$USER"
su # Not su -
echo "orguser=${orguser}"

Proces ps -ef and look for original user on the same tty you are on. (not recommended)

Call su - -c script additional parameter and change your master script that it pulls the user from $1.

run shell script from php as a specified user

I think i found a solution ( but still not sure about the security issues).

It only needs to change the default user (owner) and group of the httpd service. This can be done by editing the httpd.conf located in /opt/lampp/etc (if you are using Xampp). The default user, as I mentioned in the question, is daemon. However it has not permissions to run sudo commands, so it only needs to change that user by another one who has the permissions to run sudo commands (obviously the root user or your deafult user in Ubuntu).

---

Related Topics