Used as a reference for resolving PHP to execute commands or applications with root privileges that some ordinary users cannot perform.
In fact, the Popen () function in PHP can solve this problem, but due to some version of Linux (such as I use CentOS 5) for system security considerations,
It's a lot of trouble to solve this problem. Let's take a look at a netizen using the Popen () function example.
Copy CodeThe code is as follows:
/* How to add a system user in PHP
Here's a routine that adds a user named James,
The root password is Louis. For reference only
*/
$sucommand = "Su root--command";
$useradd = "/scripts/demo/runscripts.php";
$ROOTPASSWD = "Louis";
$user = "James";
$user _add = sprintf ("%s%s", $sucommand, $useradd);
$fp = @popen ($user _add, "w");
@fputs ($fp, $ROOTPASSWD);
@pclose ($FP);
After testing to verify that this code is not implemented (at least in my system) the author wants to get the results. After a long time of Google,
The key to the problem is that the code required by the SU Root command must be entered in a terminal manner and not in any other way (I don't know if there is any other way).
And because the project requirements can not be used similar to sudo this application, but under, I chose the user proposed by writing C program method to solve this problem.
First write a C program, named: RUN.C placed in the directory/scripts/demo/
Copy CodeThe code is as follows:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main ()
{
uid_t uid, euid;
Char cmd[1024]; Variable not used temporarily
UID = Getuid ();
Euid = Geteuid ();
printf ("My uid:%u\n", Getuid ()); This shows that the current UID can be commented out.
printf ("My Euid:%u\n", Geteuid ()); This shows the current euid.
if (Setreuid (Euid, UID))//Exchange these two IDs
Perror ("Setreuid");
printf ("After Setreuid uid:%u\n", Getuid ());
printf ("Afer sertreuid euid:%u\n", Geteuid ());
System ("/scripts/demo/runscripts.php"); Execute script
return 0;
}
Compile the file:
Gcc-o Run-wall RUN.C
The run file is generated under this path, the executable file. If you use PHP script to call the run now, even if the setreuid is not the case.
The next thing to do is give suid permission to run
# chmod U+s Run
# ls
#-rwsr-xr-x 1 root root 5382 June 2 21:45 Run
Well, it's already set up, and then write a PHP page to call it.
Copy CodeThe code is as follows:
<?php
Echo ' <pre> ';
$last _line = System ('/scripts/demo/run ', $retval);
Echo '
</pre>
<HR/>return value: '. $retval;
?>
Browsing in the browser.
My uid:48
My euid:0
After Setreuid uid:0
Afer sertreuid euid:48
--------------------------------------------------------------------------------
Last line of the Output:afer Sertreuid euid:48
--------------------------------------------------------------------------------
Return value:0
The command was successfully executed.
As you can see from the display, the UID for Apache (daemon) is 48 (in fact, the UID for daemon is 2 in many Linux systems).
The valid user ID and the actual user ID are interchanged after the call to Setreuid. (The chmod u+s must be in effect) so that the current UID of Apache is 0 so that you can execute the root command.
You can implement your PHP command with the root role only if you change the command to be executed by system in the C file.
Play c before playing a period of time PHP, which time to use PHP to run the root command, has been fruitless, until one day to search the super this plug-in.
With a lot of time to play C. found that you can use the C language to wrap the external command to run. The experiment was successful.
You do not need any external tools to implement the root command in PHP.
I will publish the method below to everyone, there is a need to use PHP to run the root command of friends can not worry about.
Platform: Linux. Experimental command iptables The current directory is/var/www/html/http
When writing a program, use the root user
As we all know, iptables non-root cannot run.
First, write a C program.
Named as: ipt.c
Copy CodeThe code is as follows:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main ()
{
uid_t uid, euid;
UID = Getuid ();
Euid = Geteuid ();
printf ("My uid:%u\n", Getuid ()); This shows that the current UID can be commented out.
printf ("My Euid:%u\n", Geteuid ()); This shows the current euid.
if (Setreuid (Euid, UID))//Exchange these two IDs
Perror ("Setreuid");
printf ("After Setreuid uid:%u\n", Getuid ());
printf ("Afer sertreuid euid:%u\n", Geteuid ());
System ("/sbin/iptables-l"); Execute iptables-l command
return 0;
}
Compile the file Gcc-o ipt-wall ipt.c
Generate IPT This executable file under this path.
If you use PHP Web page to call the IPT now, even if the setreuid is not the case.
The next thing to do is chmod u+s./ipt
LS a bit
-rwsr-xr-x 1 root root 5382 June 2 21:45 IPT
The S bit has been set up.
Then write a PHP page to call it.
Copy CodeThe code is as follows:
<?php
Echo ' <pre> ';
$last _line = System ('/var/www/html/http/ipt ', $retval);
Echo '
</pre>
<HR/>return value: '. $retval;
?>
Browsing in the browser.
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Chain FORWARD (Policy DROP)
Target Prot opt source destination
ACCEPT All--anywhere anywhere state related,established
Chain OUTPUT (Policy ACCEPT)
Target prot opt source destination
My uid:48
My euid:0
After Setreuid uid:0
Afer sertreuid euid:48
--------------------------------------------------------------------------------
Last line of the Output:afer Sertreuid euid:48
--------------------------------------------------------------------------------
Return value:0
The command executed successfully.
As we all know: Apache has a UID of 48. The valid user ID and the actual user ID are interchanged after the call to Setreuid. (The chmod u+s must be in effect) so that the current UID of Apache is 0 so that you can execute the root command.
You just need to change the system in C file to execute the command you can implement your PHP execution root command.
