0

I am using a php script which takes a timestamp value from browser and tries to set the system clock. i m using mamp box in my mac mini. how do i set the mac mini system clock through php script.

I tried using shell_exec, exec, system for achieving this , but it doesn't work.

Example, my php script looks something like this,

<?

$timestamp = $_GET['timestamp'];

exec('date '.$timestamp);

?>

When i try the same date set command in terminal i see the clock changing. ( sudo date timestamp ), but i dont know how to achieve it through php script executing a privileged command. Kindly help.

Thanks, Srini.

srini
  • 89
  • 4
  • 16
  • Also I had used the php date/time set to set time, although i dont get error message, there is no difference in the system clock. kindly help – srini Oct 31 '11 at 20:19

2 Answers2

1

Changing the system time is usually restricted to root-level accounts. PHP will be running under the user id of the webserver, which SHOULD NOT BE root. You'll have to use sudo to let the webserver run with elevated privileges for this purpose.

However, why do you need to set timestamps like this? You're basically passing some random data passed in on a url to a shell command. What's to stop someone submitting

  http://example.com?timestamp=; rm -rf /

and nuking every file on your server that the webserver has access to?

If you're trying to sync times between servers, then use ntp, which is designed for clock synching.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • I am just testing a framework . This is just an example. But I generally wanted to know whats the idea behind executing privileged commands from http. – srini Oct 31 '11 at 20:35
0

First of all, do sanitize your input. In this case, sanitize $_GET['timestamp']. Make sure it is in the format date will understand. Make sure it is using escapeshellarg.

You can use exec('sudo date '.escapeshellarg($timestamp));. But make sure your Apache user has right to sudo without passwords. You can specify in /etc/sudoers to allow ONLY date command to be executed by root. It is safier.

Another option is to create your own shell script and allow to sudo only your script.

gustavotkg
  • 4,099
  • 1
  • 19
  • 29
  • How to do i allow the date command to be executed without password. can you explain me more on that – srini Oct 31 '11 at 20:50
  • can you explain how to achieve the solution using /etc/sudoers in detail. Thanks – srini Oct 31 '11 at 21:02
  • Suposing your apache runs with user www-data, you could use `www-data LOCAL = NOPASSWD: /usr/bin/date` you can read more at https://help.ubuntu.com/community/Sudoers OBS: I did not test the line in my sudoers – gustavotkg Nov 01 '11 at 00:06