8

I have a shell script called boot.sh on an Ngnix server

I am trying to call it via PHP, but I don't think I have permissions.

How can I give www-data permission to run boot.sh - and only boot.sh

When trying sudo chown or sudo chgrp I am getting Operation Not Permitted

K2xL
  • 219
  • 1
  • 3
  • 8
  • 1
    Post actual commands and their outputs, plus full paths please – fukawi2 Nov 10 '13 at 23:53
  • 1
    Is it necessary to run boot.sh as root? What does the script actually do? If the script does not necessarily needs root execution privileges, it's good to simply fix permission of the script for www-data. – vagarwal Nov 11 '13 at 14:27
  • I've done lots of shell execution from webservers (including nginx) and the process executes as whatever user the server is shown as owning by `ps`. Look for password-less sudo. I've done it a few times and there are 2 or 3 ways to pull it off (all hacks). If anything cheat and copy boot.sh where you can get to it? – Krista K Jan 01 '14 at 10:02

2 Answers2

10

system("whoami"); to get the username of the webserver, I use www-data in this example. Edit your sudoers file and add the following. Where user is the username it will be run under.

www-data ALL=(user) NOPASSWD: /path/to/program/or/script

Then use the following command in PHP.

system("sudo -u user /path/to/program/or/script");

Alex
  • 346
  • 1
  • 8
  • tried with user phpuser. didn't seem to work. tried running the command directly from command line and got: `sudo: unknown user: phpuser` – K2xL Nov 11 '13 at 13:11
  • 1
    It has to be a real user on the system, use the user which you have access to the command line – Alex Nov 11 '13 at 13:47
  • Won't the fact that someone is able to run a script as www-data without password create a safety issue? Will www-data won't be able to run any other commands? – Mr.TK Sep 12 '14 at 06:16
  • It will only have `NOPASSWD` for the `/path/to/program/or/script` – Alex Sep 12 '14 at 15:08
-2

Despite the post is from long time ago i would like to recommend this: run the command 'whoami' from the side-server-scripting language executing the commands lines(php) and then modify the sudoers file with the specific user cause in some cases is www-data an others is daemon .....

ALex
  • 1