current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 2 down vote favorite
1

I am trying to get my php page to run this command:

shell_exec("sudo /home/xbian/433Utils/RPi_utils/codesend {$num}");

So I added this entry to my sudoers file with visudo:

www-data ALL=NOPASSWD: /home/xbian/433Utils/RPi_utils/codesend

But it isn't working. When I run the command in shell with sudo it works. I am pretty sure that there is nothing wrong with the rest of the code, when I replace shell_exec with echo, I get the correct command printed. I have also verified that my php is being run as www-data user.

Have I just got the sudoers entry wrong? How can I troubleshoot? I understand that I can't really run commands as www-data without giving it a password which is a bad idea.

share|improve this question
    
You can troubleshoot the issue using : shell_exec("sudo /home/xbian/433Utils/RPi_utils/codesend {$num} >/tmp/debug.log 2>&1"); –  Rahul Patil Jan 26 at 6:38
    
I get wiringPiSetup: Must be root. (Did you forget sudo?) which is the same as if I try doing it in the command line without sudo. edit whoops, that was with sudo taken out. When I put it back in a get a normal output, the program tells me that it is sending the code. But it simply doesn't work. –  Stoopkid Jan 26 at 21:31

2 Answers 2

up vote 0 down vote

Your sudoers line is correct in that it only allows www-data to execute the one command as root. The php syntax looks mostly correct (you are validating $num to make sure it is a number? miscellaneous symbols can do real damage here. see http://us3.php.net/manual/en/function.escapeshellcmd.php ) The two things that you didn't mention was which apache mpm are you using, and are you running php in safe mode. shell_exec does not work in safe mode, and it uses fork which may not work with all mpm's. I would recommend using the prefork mpm.

share|improve this answer
    
My php is 5.4.4 so I understand that it does not have safe mode and a think that I am using prefork... At least it is in my loaded modules. –  Stoopkid Jan 26 at 5:51
    
Why is prefork preferred? So long as the system supports thread-safe polling then 'event' is the default MPM. What advantages would switching to 'prefork' achieve? –  dotancohen Jul 21 at 4:41
    
@dotancohen sudo cgi requires a fork (unless you are using fcgi or similar) which may break threading which breaks several MPMs. There are special workarounds to get mod_cgi to work with event_mpm, but I do not know if they have been ported to mod_php. It is known to work with prefork. (and the bandwidth usage on most sudo applications is not an issue) –  hildred Jul 22 at 0:39
    
I see, thank you very much! –  dotancohen Jul 22 at 8:41
up vote 0 down vote

Yes, I think that it's a really bad idea to add the apache user www-data to the list of sudoers, especially because you include a variable $num inside your code that could seriously harm your server if wrongly injected (especially if used by a sudoer user).

I would suggest instead to create a new group, to add www-data to that group and to assign /home/xbian/433Utils/RPi_utils/codesend to the group. Then, give permissions to codesend to be executed by all members of that group; you should not be asked for any password and your system will be secure.

share|improve this answer
    
This doesn't seem to work. I made a new group, added www-data to it, change the group of the file to this new one, and set the file permissions so that they could all execute it... This codesend program required sudo because of a dependent library, is this supposed to deal with that? –  Stoopkid Jan 26 at 1:59
    
@edoardo849 Your solution is less secure than using a properly setup sudo. sudo can be set up to allow a user to only execute one command. –  hildred Jan 26 at 3:49
    
This isn't more secure than the sudo approach. Both cases allow any web server process to execute a specific script. –  forcefsck Jun 15 at 12:55

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.