PHP shell_exec to run debian system service












0















I'm trying to control a system service with PHP's shell_exec function :



shell_exec('sudo /usr/sbin/service icecast2 stop');


But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers :



ALL ALL=(root) NOPASSWD: /usr/sbin/service


This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :



%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service


Also an echo of posix_getpwuid(posix_geteuid())['name']; gives me a different name that is running the process - not www-data. But neither of these work either :



%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service


I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.



Can anybody think of any other solution so I don't leave my services open like this?



For instance, just allowing access to this specific service and function instead?



EDIT



Made some progress. This works, but is this safe enough?



myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service


Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.










share|improve this question









New contributor




spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”.  Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.

    – G-Man
    13 mins ago








  • 1





    consider narrowing down the (eventual) sudo rules down to usr/sbin/service icecast2 stop and usr/sbin/service icecast2 start (so that a PHP user can't stop arbitrary services)

    – Jeff Schaller
    10 mins ago
















0















I'm trying to control a system service with PHP's shell_exec function :



shell_exec('sudo /usr/sbin/service icecast2 stop');


But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers :



ALL ALL=(root) NOPASSWD: /usr/sbin/service


This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :



%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service


Also an echo of posix_getpwuid(posix_geteuid())['name']; gives me a different name that is running the process - not www-data. But neither of these work either :



%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service


I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.



Can anybody think of any other solution so I don't leave my services open like this?



For instance, just allowing access to this specific service and function instead?



EDIT



Made some progress. This works, but is this safe enough?



myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service


Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.










share|improve this question









New contributor




spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”.  Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.

    – G-Man
    13 mins ago








  • 1





    consider narrowing down the (eventual) sudo rules down to usr/sbin/service icecast2 stop and usr/sbin/service icecast2 start (so that a PHP user can't stop arbitrary services)

    – Jeff Schaller
    10 mins ago














0












0








0








I'm trying to control a system service with PHP's shell_exec function :



shell_exec('sudo /usr/sbin/service icecast2 stop');


But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers :



ALL ALL=(root) NOPASSWD: /usr/sbin/service


This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :



%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service


Also an echo of posix_getpwuid(posix_geteuid())['name']; gives me a different name that is running the process - not www-data. But neither of these work either :



%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service


I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.



Can anybody think of any other solution so I don't leave my services open like this?



For instance, just allowing access to this specific service and function instead?



EDIT



Made some progress. This works, but is this safe enough?



myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service


Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.










share|improve this question









New contributor




spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I'm trying to control a system service with PHP's shell_exec function :



shell_exec('sudo /usr/sbin/service icecast2 stop');


But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers :



ALL ALL=(root) NOPASSWD: /usr/sbin/service


This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :



%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service


Also an echo of posix_getpwuid(posix_geteuid())['name']; gives me a different name that is running the process - not www-data. But neither of these work either :



%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service


I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.



Can anybody think of any other solution so I don't leave my services open like this?



For instance, just allowing access to this specific service and function instead?



EDIT



Made some progress. This works, but is this safe enough?



myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service


Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.







debian php exec






share|improve this question









New contributor




spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 7 mins ago







spice













New contributor




spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 24 mins ago









spicespice

1011




1011




New contributor




spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






spice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”.  Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.

    – G-Man
    13 mins ago








  • 1





    consider narrowing down the (eventual) sudo rules down to usr/sbin/service icecast2 stop and usr/sbin/service icecast2 start (so that a PHP user can't stop arbitrary services)

    – Jeff Schaller
    10 mins ago



















  • You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”.  Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.

    – G-Man
    13 mins ago








  • 1





    consider narrowing down the (eventual) sudo rules down to usr/sbin/service icecast2 stop and usr/sbin/service icecast2 start (so that a PHP user can't stop arbitrary services)

    – Jeff Schaller
    10 mins ago

















You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”.  Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.

– G-Man
13 mins ago







You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”.  Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.

– G-Man
13 mins ago






1




1





consider narrowing down the (eventual) sudo rules down to usr/sbin/service icecast2 stop and usr/sbin/service icecast2 start (so that a PHP user can't stop arbitrary services)

– Jeff Schaller
10 mins ago





consider narrowing down the (eventual) sudo rules down to usr/sbin/service icecast2 stop and usr/sbin/service icecast2 start (so that a PHP user can't stop arbitrary services)

– Jeff Schaller
10 mins ago










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






spice is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503468%2fphp-shell-exec-to-run-debian-system-service%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes








spice is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















spice is a new contributor. Be nice, and check out our Code of Conduct.













spice is a new contributor. Be nice, and check out our Code of Conduct.












spice is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503468%2fphp-shell-exec-to-run-debian-system-service%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Loup dans la culture

How to solve the problem of ntp “Unable to contact time server” from KDE?

ASUS Zenbook UX433/UX333 — Configure Touchpad-embedded numpad on Linux