How to get PHP to execute system commands with root _php tutorial

Source: Internet
Author: User
Used as a reference for troubleshooting PHP to execute commands or applications that ordinary users cannot perform with root privileges.
In fact, PHP's Popen () function can solve this problem, but because of some version of Linux (for example, I use CentOS 5) for system security considerations,
Make this problem solved a lot of trouble. Let's start with an example of a netizen using the Popen () function.
Copy CodeThe code is as follows:
/* How to add a system user in PHP
Here is a routine that adds a user named James,
The root password is Louis. For reference only
*/
$sucommand = "Su root--command";
$useradd = "/scripts/demo/runscripts.php";
$ROOTPASSWD = "Louis";
$user = "James";
$user _add = sprintf ("%s%s", $sucommand, $useradd);
$fp = @popen ($user _add, "w");
@fputs ($fp, $ROOTPASSWD);
@pclose ($FP);

Through my own tests, it is proven that this code is not implemented (at least in my system) that the author wants to get the results. After Google for a long time,
The key to the problem is that the password required by Su Root must be entered as a terminal and cannot be obtained in any other way (I don't know if there is any other way).
And because the project requirements can not be used similar to sudo this application, helpless, I chose the netizen proposed by writing C program method to solve this problem.
First write a C program, named: RUN.C placed under the directory/scripts/demo/
Copy CodeThe code is as follows:
#include
#include
#include
#include
int main ()
{
uid_t uid, euid;
Char cmd[1024]; Variable is not used temporarily
UID = Getuid ();
Euid = Geteuid ();
printf ("My uid:%u\n", Getuid ()); This shows that the current UID can be commented out.
printf ("My Euid:%u\n", Geteuid ()); This shows the current euid.
if (Setreuid (Euid, UID))//Exchange these two IDs
Perror ("Setreuid");
printf ("After Setreuid uid:%u\n", Getuid ());
printf ("Afer sertreuid euid:%u\n", Geteuid ());
System ("/scripts/demo/runscripts.php"); Execute script
return 0;
}

Compile the file:
Gcc-o Run-wall RUN.C
Generate the run file under this path, this executable file. If the run is now called with a PHP script, it will not work even if it is setreuid.
The next thing to do is to give suid permission to run
# chmod U+s Run
# ls
#-rwsr-xr-x 1 root root 5382 Jul 2 21:45 Run
OK, already set up, and then write a PHP page called it.
Copy CodeThe code is as follows:
Echo '




Last line of the output: '. $last _line. '
Return value: '. $retval;
?>

Browse in the browser.
My uid:48
My euid:0
After Setreuid uid:0
Afer sertreuid euid:48

--------------------------------------------------------------------------------
Last line of the Output:afer Sertreuid euid:48
--------------------------------------------------------------------------------
Return value:0
The command executed successfully.
As you can see from the results, Apache (daemon) has a UID of 48 (in fact many Linux systems have a daemon UID of 2).
After calling Setreuid, the valid user ID is swapped with the actual user ID. (Must be in the case of chmod u+s) The current UID of Apache is 0 so that the root command can be executed.
Just change the commands in the C file to be executed by the system, and you can implement your own PHP command in the root role.

Before playing C played for a period of time PHP, which need to use PHP to run the root command, has not been the result, until one day to search for super this plugin.
With the days of playing C more. Find that you can use the C language to wrap external commands to run. Experiment a bit. Success.
You do not need any external tools to implement the root command in PHP.
I will publish the method below to everyone, there is a need to use PHP to run the root command of friends can not worry about.
Platform: Linux. Experimental command iptables The current directory is/var/www/html/http
Use the root user when writing programs
Everyone knows that iptables non-root users cannot run.
First, write a C program.
Named as: ipt.c
Copy CodeThe code is as follows:
#include
#include
#include
#include
int main ()
{
uid_t uid, euid;
UID = Getuid ();
Euid = Geteuid ();
printf ("My uid:%u\n", Getuid ()); This shows that the current UID can be commented out.
printf ("My Euid:%u\n", Geteuid ()); This shows the current euid.
if (Setreuid (Euid, UID))//Exchange these two IDs
Perror ("Setreuid");
printf ("After Setreuid uid:%u\n", Getuid ());
printf ("Afer sertreuid euid:%u\n", Geteuid ());
System ("/sbin/iptables-l"); Execute iptables-l command
return 0;
}


Compile the file Gcc-o ipt-wall ipt.c
Generate the IPT executable file under this path.
If the IPT is now invoked on a PHP page, it will not work even if it is setreuid.
The next thing to do is chmod u+s./ipt
LS a bit
-rwsr-xr-x 1 root root 5382 Jul 2 21:45 IPT
The s bit is already set up.
Then write a PHP page to invoke it.
Copy CodeThe code is as follows:
Echo '




Last line of the output: '. $last _line. '
Return value: '. $retval;
?>

Browse in the browser.

[Color=red] Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Chain FORWARD (Policy DROP)
Target Prot opt source destination
ACCEPT all – anywhere anywhere state related,established
Chain OUTPUT (Policy ACCEPT)
Target prot opt source destination [/color]
[Color=blue]my uid:48
My euid:0
After Setreuid uid:0
Afer Sertreuid Euid:48[/color]

--------------------------------------------------------------------------------
Last line of the Output:afer Sertreuid euid:48
--------------------------------------------------------------------------------
Return value:0

The command executed successfully:
It is well known that Apache has a UID of 48. After calling Setreuid, the valid user ID is swapped with the actual user ID. (Must be in the case of chmod u+s) The current UID of Apache is 0 so that the root command can be executed.

All you need to do is change the command that the system in the C file will execute to implement your PHP root command.

http://www.bkjia.com/PHPjc/322943.html www.bkjia.com true http://www.bkjia.com/PHPjc/322943.html techarticle used as a reference for troubleshooting PHP to execute commands or applications that ordinary users cannot perform with root privileges. In fact, PHP popen () function can solve this problem, but because of some version ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.