apache shell scripting

J

jamiro

I'm trying to run some commands through a web interface made ​​with Apache. I used PHP with the command
Code: 
shell_exec (" ipfw show ")
but it is not succeful. Then I try to give privileges using sudo, so I installed sudo and configured the sudoers file by adding the line
Code: 
www ALL = (ALL) ALL
to give permissions to the Apache user. I change the command in the PHP file like this
Code: 
shell_exec (" / usr / local / bin / sudo ipfw show ")
and I get the following message on the console:
Code: 
sudo: www: pam_authenticate: conversation failure; TTY = unknown; PWD = /usr/local/www/apache22/data; USER = root; COMMAND = / sbin / ipfw show
I need help please.
 
jamiro said:
Code: 
www ALL = (ALL) ALL
Click to expand...

This gives user www permission to run all programs as superuser after typing a password (which your script doesn't).

You can use:

Code: 
www ALL = (ALL) NOPASSWD: /sbin/ipfw

to give www permission to run /sbin/ipfw without entering password.

But, don't forget, that allowing your HTTP daemon execute commands as superuser is highly dangerous.
 
Thanks for your reply, but it didn't work. This is the configuration of my sudo:

Code: 
Sudo version 1.8.1p2
Configure args: --sysconfdir=/usr/local/etc --with-ignore-dot --with-tty-tickets --with-env-editor --with-logincap --with-long-otp-prompt
 --with-pam --with-logfac=local2 --with-bsm-audit --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/
 --build=i386-portbld-freebsd8.2
Sudoers policy plugin version 1.8.1p2
Sudoers file grammar version 40

Sudoers path: /usr/local/etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Put OTP prompt on its own line
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG 
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        TZ
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs
File in which to store the input/output log
Add an entry to the utmp/utmpx file when allocating a pty

Local IP address and netmask pairs:
        192.168.0.2/255.255.255.0
        192.168.1.1/255.255.255.0

Sudoers I/O plugin version 1.8.1p2
I noted that using sudo in the php script does not run any command. Even the basics like "echo" keep telling me this error in concole:

Code: 
sudo: www: pam_authenticate: conversation failure; TTY = unknown; PWD = /usr/local/www/apache22/data; USER = root; COMMAND = / sbin / ipfw show
 
You do see that sudo complains about a command that appears to have s p a c e s, right?
 
I do not think it's a problem with the spaces, I tried the following script in php

Code: 
<head>
</head>
<body>

<?php

$comando="/usr/local/bin/sudo /sbin/ifconfig";         

$result=shell_exec("$comando");

echo "$result";
?>


</body>
</html>

and still got the same message in the console:

Code: 
sudo: www: pam_authenticate: conversation failure; TTY = unknown; PWD = /usr/local/www/apache22/data; USER = root; COMMAND = /sbin/ifconfig
 
I solved the problem by going to sudo's configuration

Code: 
cd /etc/ports/security/sudo
make config

Here I choose the option DISABLE AUTHENTICATION and finally it works, thanks for your answers.
 
Why won't I be surprised if this box gets rooted within a week?
 
You must log in or register to reply here.
Back
Top