PHP shell_exec to run debian system service
I'm trying to control a system service with PHP's shell_exec
function :
shell_exec('sudo /usr/sbin/service icecast2 stop');
But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers
:
ALL ALL=(root) NOPASSWD: /usr/sbin/service
This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :
%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service
Also an echo of posix_getpwuid(posix_geteuid())['name'];
gives me a different name that is running the process - not www-data. But neither of these work either :
%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service
I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.
Can anybody think of any other solution so I don't leave my services open like this?
For instance, just allowing access to this specific service and function instead?
EDIT
Made some progress. This works, but is this safe enough?
myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service
Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.
debian php exec
New contributor
add a comment |
I'm trying to control a system service with PHP's shell_exec
function :
shell_exec('sudo /usr/sbin/service icecast2 stop');
But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers
:
ALL ALL=(root) NOPASSWD: /usr/sbin/service
This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :
%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service
Also an echo of posix_getpwuid(posix_geteuid())['name'];
gives me a different name that is running the process - not www-data. But neither of these work either :
%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service
I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.
Can anybody think of any other solution so I don't leave my services open like this?
For instance, just allowing access to this specific service and function instead?
EDIT
Made some progress. This works, but is this safe enough?
myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service
Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.
debian php exec
New contributor
You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”. Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
13 mins ago
1
consider narrowing down the (eventual) sudo rules down tousr/sbin/service icecast2 stop
andusr/sbin/service icecast2 start
(so that a PHP user can't stop arbitrary services)
– Jeff Schaller
10 mins ago
add a comment |
I'm trying to control a system service with PHP's shell_exec
function :
shell_exec('sudo /usr/sbin/service icecast2 stop');
But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers
:
ALL ALL=(root) NOPASSWD: /usr/sbin/service
This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :
%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service
Also an echo of posix_getpwuid(posix_geteuid())['name'];
gives me a different name that is running the process - not www-data. But neither of these work either :
%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service
I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.
Can anybody think of any other solution so I don't leave my services open like this?
For instance, just allowing access to this specific service and function instead?
EDIT
Made some progress. This works, but is this safe enough?
myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service
Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.
debian php exec
New contributor
I'm trying to control a system service with PHP's shell_exec
function :
shell_exec('sudo /usr/sbin/service icecast2 stop');
But the only way I can get it to work is by allowing ALL users root access to the services in /etc/sudoers
:
ALL ALL=(root) NOPASSWD: /usr/sbin/service
This is obviously a really bad idea, but it refuses to run if I try to set it to anything else as the service needs root privs eg :
%www-data ALL=(root) NOPASSWD: /usr/sbin/service
%www-data ALL=NOPASSWD: /usr/sbin/service
Also an echo of posix_getpwuid(posix_geteuid())['name'];
gives me a different name that is running the process - not www-data. But neither of these work either :
%myphpuser ALL=(root) NOPASSWD: /usr/sbin/service
%myphpuser ALL=NOPASSWD: /usr/sbin/service
I also tried writing a bash script to control the service and call it from shell_exec, but that fails to run to.
Can anybody think of any other solution so I don't leave my services open like this?
For instance, just allowing access to this specific service and function instead?
EDIT
Made some progress. This works, but is this safe enough?
myphpuser ALL=(ALL:ALL) ALL
myphpuser ALL=NOPASSWD: /usr/sbin/service
Should also mention that the php script that calls this is run by a cron job, it's not public facing in anyway whatsoever.
debian php exec
debian php exec
New contributor
New contributor
edited 7 mins ago
spice
New contributor
asked 24 mins ago
spicespice
1011
1011
New contributor
New contributor
You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”. Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
13 mins ago
1
consider narrowing down the (eventual) sudo rules down tousr/sbin/service icecast2 stop
andusr/sbin/service icecast2 start
(so that a PHP user can't stop arbitrary services)
– Jeff Schaller
10 mins ago
add a comment |
You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”. Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
13 mins ago
1
consider narrowing down the (eventual) sudo rules down tousr/sbin/service icecast2 stop
andusr/sbin/service icecast2 start
(so that a PHP user can't stop arbitrary services)
– Jeff Schaller
10 mins ago
You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”. Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
13 mins ago
You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”. Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
13 mins ago
1
1
consider narrowing down the (eventual) sudo rules down to
usr/sbin/service icecast2 stop
and usr/sbin/service icecast2 start
(so that a PHP user can't stop arbitrary services)– Jeff Schaller
10 mins ago
consider narrowing down the (eventual) sudo rules down to
usr/sbin/service icecast2 stop
and usr/sbin/service icecast2 start
(so that a PHP user can't stop arbitrary services)– Jeff Schaller
10 mins ago
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
spice is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503468%2fphp-shell-exec-to-run-debian-system-service%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
spice is a new contributor. Be nice, and check out our Code of Conduct.
spice is a new contributor. Be nice, and check out our Code of Conduct.
spice is a new contributor. Be nice, and check out our Code of Conduct.
spice is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503468%2fphp-shell-exec-to-run-debian-system-service%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You say “it refuses to run”, “neither of these work either” and “that fails to run [too]”. Please be more specific about what happened. … … … … … … … … … … … … … … Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
13 mins ago
1
consider narrowing down the (eventual) sudo rules down to
usr/sbin/service icecast2 stop
andusr/sbin/service icecast2 start
(so that a PHP user can't stop arbitrary services)– Jeff Schaller
10 mins ago