stackoom
  简体   繁体   中英

PHP exec() SELinux commands

 原文  2021-05-14 21:32:01       php/ exec

Question

My goal is to receive command "semanage login -l" message in array and display the results in the browser. I have created a line inside a class Ausearch where it has a function processSudoInput() with contents:

  public function processSudoInput()
    {
       exec("echo password | /usr/bin/sudo -S semanage login -l ",$output);
       return $output;
    }

The problem is that when I print the $output in the terminal, I get nice results (an array with strings). Class ausearch is being called inside a separate.php file CommandHandler.php where it contains: 

use Commands\Ausearch;

include 'Commands/Ausearch.php';

function displayLogData()
{
    $ausearch = new Ausearch();
    $result = $ausearch->processSudoInput();
    var_dump($result);
}
displayLogData();

When I execute this php code inside the PHPStorm I get results:

 [0]=>
  string(0) ""
  [1]=>
  string(70) "Login Name           SELinux User         MLS/MCS Range        Service"
  [2]=>
  string(0) ""

and it continues so on. But when I call this function inside the browser (inside the HTML file) then it returns

array(0) { }

Inside the browser. So far I have tried executing visudo and adding

%www-data ALL=NOPASSWD:ALL

Even tried to chown -R apache:apache /var/www and chown -R 777 /var/www and no luck. Even set selinux to permissive Currently using CentOS8 and the target is to achieve an array with data as above inside the browser at all costs, no matter the security.

1 answers

solution1
 0 ACCPTED  2021-05-15 13:35:18

On CentOS8 distro and other distros which use httpd process there is no such system subject (user) www-data nor httpd . When executing sudo commands in the "PHPStorm" there is user A and he has all the needed permissions to execute those commands, although when it comes to executing sudo commands and displaying them on the web, the user B is responsible for it and that user B is Apache , therefore if it is needed to run that command, it is highly suggestible to create shell script which executes that specific sudo command aka encapsulating that command. Inside the visudo there has to be a line:

%apache ALL=NOPASSWD: /path/to/shell/file.sh

In many internet examples, there are no mentions of %apache component (as far I was searching). Shell file is suggestible so to avoid using which is a huge security flaw (above solution neither is a good solution aka not great no terrible) 

%apache ALL=NOPASSWD: ALL

After adding line above in the visudo then there is possible to run line in the PHP

exec('sudo /path/to/shell/file.sh`, $output)

or

shell_exec('sudo /path/to/shell/file.sh')

Depending on your goals

Important to mention, that sudo is a requirement in those functions to execute those scripts.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP Shell_exec and sudo commands for SELinux administration Executing commands with PHP exec PHP Exec Sudo/Exim commands php form with exec and sed commands How can I allow PHP to use the at command in exec() calls when SELinux is enabled? SELinux blocking php's exec('kill pid') without any error in log Docker commands via php shell_exec How to exec shell commands through php PHP exec, multiple commands, don't wait Executing git commands in bat file with PHP exec
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM