My goal is to receive command "semanage login -l" message in array and display the results in the browser. I have created a line inside a class Ausearch where it has a function processSudoInput() with contents:
public function processSudoInput()
{
exec("echo password | /usr/bin/sudo -S semanage login -l ",$output);
return $output;
}
The problem is that when I print the $output in the terminal, I get nice results (an array with strings). Class ausearch is being called inside a separate.php file CommandHandler.php where it contains:
use Commands\Ausearch;
include 'Commands/Ausearch.php';
function displayLogData()
{
$ausearch = new Ausearch();
$result = $ausearch->processSudoInput();
var_dump($result);
}
displayLogData();
When I execute this php code inside the PHPStorm I get results:
[0]=>
string(0) ""
[1]=>
string(70) "Login Name SELinux User MLS/MCS Range Service"
[2]=>
string(0) ""
and it continues so on. But when I call this function inside the browser (inside the HTML file) then it returns
array(0) { }
Inside the browser. So far I have tried executing visudo
and adding
%www-data ALL=NOPASSWD:ALL
Even tried to chown -R apache:apache /var/www
and chown -R 777 /var/www
and no luck. Even set selinux to permissive Currently using CentOS8 and the target is to achieve an array with data as above inside the browser at all costs, no matter the security.
On CentOS8 distro and other distros which use httpd
process there is no such system subject (user) www-data
nor httpd
. When executing sudo commands in the "PHPStorm" there is user A and he has all the needed permissions to execute those commands, although when it comes to executing sudo commands and displaying them on the web, the user B is responsible for it and that user B is Apache
, therefore if it is needed to run that command, it is highly suggestible to create shell script which executes that specific sudo command aka encapsulating that command. Inside the visudo
there has to be a line:
%apache ALL=NOPASSWD: /path/to/shell/file.sh
In many internet examples, there are no mentions of %apache
component (as far I was searching). Shell file is suggestible so to avoid using which is a huge security flaw (above solution neither is a good solution aka not great no terrible)
%apache ALL=NOPASSWD: ALL
After adding line above in the visudo
then there is possible to run line in the PHP
exec('sudo /path/to/shell/file.sh`, $output)
or
shell_exec('sudo /path/to/shell/file.sh')
Depending on your goals
Important to mention, that sudo
is a requirement in those functions to execute those scripts.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.