从PHP使用sudo运行shell脚本
[英]Run shell script with sudo from PHP
问题描述
I currently have a PHP file on my ubuntu box that i want to use to create users on the machine from a web interface (security blablabla, its all on an internal network completely inaccessible from anyone who would accidentally/purposefully cause harm to the system) I initially tried using this: 
我目前在我的ubuntu盒子上有一个PHP文件,我想用来通过Web界面在计算机上创建用户(安全性,任何人无意/有意对系统造成损害的人都无法访问它的内部网络)我最初尝试使用此:
shell_exec("sudo mkdir -m 755 ".escapeshellarg($directory));
shell_exec("sudo useradd -s /bin/false -d ".escapeshellarg($directory)." -p ".crypt($pass,$salt)." ".escapeshellarg($servername));
but obviously this exposes both mkdir and useradd to be passwordless sudo'd, so instead of doing this i decided to reduce complications by create a shell script in /etc called 'newserver.sh', now in that i have this; 但是显然,这使mkdir和useradd都暴露为无密码sudo'd,因此,我决定通过在/ etc中创建一个名为'newserver.sh'的shell脚本来减少复杂性,而不是这样做;
#!/bin/bash
#Var 1 = Directory, Var 2 = Username Var 3 = Password
mkdir "$1"
chmod 755 "$1"
useradd -s /bin/false -d "$1" -p "$3" "$2"
chown "$2" "$1"
which seemed to work abit better, and works pretty fine when i run it it from terminal, but when the PHP exexutes it using 这似乎工作得更好,并且当我从终端运行它时工作得很好,但是当PHP使用它执行它时
shell_exec("sudo sh /etc/newserver.sh /home/testuser testuser testpass");
it doesnt seem to do anything (ive even tested with the same parameters as when i run it from the terminal. 它似乎什么也没做(即使我用与从终端运行它时相同的参数进行了测试,也没有用过。
FYI my sudoers file has this line in it www-data ALL=(root) NOPASSWD: /etc/newserver.sh 仅供参考,我的sudoers文件中包含以下行www-data ALL=(root) NOPASSWD: /etc/newserver.sh
2 个解决方案
解决方案1
0 2013-11-26 14:45:06
First of all, the password must be cryptographed, like this: 首先,必须对密码进行加密,如下所示:
/etc/newserver.sh /home/testuser testuser "$6$VP9.GI9D$nVjpXIlgoTCLYICNW9ijPqg07opPrjTU2ilYULaT4rut8S9CAmWggMXuOhJ27C5ltwCRfzSxEVgSlReA2i/rH1"
And I think, you should use "-c" as argument. 而且我认为,您应该使用“ -c”作为参数。
shell_exec("sudo sh -c \"/etc/newserver.sh /home/testuser testuser testpass\"");
解决方案2
0 2013-11-26 14:48:25
Running as root can be done in two ways : 以root身份运行可以通过两种方式完成:
- Using
sudo(makingwww-dataa sudoer is nothing like a good idea...)使用sudo(使www-data成为sudoer并不是一个好主意...) - Setting a setuid 设置setuid
Take a look a /bin/ping : 看一下/bin/ping :
-rwsr-xr-x 1 root root /bin/ping
It belongs to root, but the 's' replacing the 'x' (execute) means that this program is setuid : it'll always be executed with the owner's identity : root. 它属于root,但是用's'代替'x'(执行)意味着该程序是setuid的:它将始终以所有者的身份执行:root。 ping is a program that needs to build ICMP packets, and only root can manipulate those until the end. ping是需要构建ICMP数据包的程序,只有root才能操纵这些数据包,直到最后。
You can create a similar environement : place your commands in a shell script (let's say myscript.sh ) and : 您可以创建一个类似的环境:将命令放在shell脚本中(假设为myscript.sh ),然后:
chown root:root myscript.sh # Give it to root.
chmod u+s myscript.sh # Use setuid on it.
Now, when you run it, even as a regular user (or www-data for the web server...), the processes will be created under root's identity. 现在,当您运行它时,即使是普通用户(或Web服务器的www-data ...),也将以root的身份创建进程。
Danger Giving setuid (as root) to a script is very dangerous. 危险将 setuid(以root身份)授予脚本非常危险。 You should be careful with permissions : don't allow anyone but people you're interested in to run it. 您应该谨慎使用权限:除您感兴趣的人外,禁止任何人运行它。 For instance, create a group called myscriptexec for people allowed to run this script : 例如,为允许运行此脚本的人员创建一个名为myscriptexec的组:
addgroup myscriptexec
chgrp myscriptexec myscript.sh
chmod g+x # Group can execute.
chmod o= myscript.sh # No one executes except root and group members.
Then, add users to this group, as you need. 然后,根据需要将用户添加到该组。
If you need to check your script, I'd suggest you use a temporary log file, for debugging purposes : 如果您需要检查脚本,建议您使用一个临时日志文件进行调试:
exec > /tmp/mylog.log
exec 2> /tmp/mylog.log
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.