PHP executes shell script with root privileges in Linux

This evening: 19:30 points, this troubled me for a long time to finally solve the problem, the principle is finally clear, in short, the use of sudo to give Apache user root executive authority, the following record:

Using PHP to execute a shell script with root privileges must be done in the following steps: (all the steps are my own experiments, if there are improper to point out, thank you!) ）

1. Determine who your Apache execution user is. Note: Not necessarily is nobody, I install the httpd, my Apache user is daemon

2. Use Visudo for your Apache execution user to give root execute permissions, and of course there is no password set. Note: For the sake of security, it is best to create a new user, so that he can execute as Apache (Modify the httpd.conf file, as I will point out later)

3. This step is simple, write your script, using PHP exec,system ... function to execute.

The next step is the detailed implementation process:

1. Check out who your Apache execution user is: Lsof-i:80 after running the results are:

From the diagram we can see Clearly, httpd (that is, Apache) to execute the User: Exec_shell (Note: This is my machine after the user, just to explain, you certainly not this! )

Determine who the Apache performer is on your Linux, and for the sake of security, create a new user to modify the Apache execution user to our new user.

2. New Apache Execution user

Useradd Your_exec_user We know that creating a user will default to creating a user group with the same user name, which means now we also have a Your_exec_user user group

Let's modify the Apache configuration file so that its execution user changes to the user we just created Your_exec_user:

Vi/home/houqingdong/httpd-exe/config/httpd.conf (This is the directory where your Apache resides)

Find the place below and modify the new user for you: Your_exec_user

Restart Apache:/home/houqingdong/httpd-exe/bin/apachect1 restart-------------> after reboot you can use: lsof-i:80 to check out 。

3. Execute Visudo (or vi/etc/sudoers), give root permission to Your_exec_user, and do not need a password, there is a step of important modification (this is where I'm haunted)

Visudo find this place, add Your_exec_user, and set no password

I did this before, and I went through the PHP script, and the results were unsuccessful, and it was frustrating that I switched to the Your_exec_user user directly to execute it successfully.

Later, I looked at Apache log files and found that:

It is obvious here that when Sudo is executed it is necessary to have a TTY run sudo, to know where the problem is to be solved: vi/etc/sudoers the following sentence:

This is because by default, executing sudo requires a terminal, which is commented out here. Next, write your shell script and PHP commands.

4. Here is a simple script that I wrote, using the $directory and $name from the PHP side to create a $name directory under that directory

#!/bin/bash
#Program # This program would     execute MKDIR:CD $directory mkdir $name
path=/bin:/sbin:/ Usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
Export PATH
CD $
[! d $]; then
    mkdir $2< C8/>else
    echo "already exist ..."
    exit 1
fi

The simple feature is that you go to $directory to determine if the directory name you want to create exists, and then create the directory.

Constructed PHP execution function: (partial)

if ($type = = "dir") {
          $make _dir_command= "/usr/bin/sudo/home/houqingdong/myshell/mkdir.sh/$directory/$name";
          echo $make _dir_command;
          EXEC ($make _dir_command, $output, $return);

              if ($return = = 0) {
                  echo <script>alert (' Build directory seccuss! '); location.href= ' right.php?id= ' $directory "';</script>";
              } else{
                  echo "<script>alert (' Build directory err! '); History.go ( -1);</script> ";
              }

Here's a passing phrase: it 's best to use absolute paths in a constructed command .

5. Implementation results at the end of the page:

After submission, a prompt to execute the results will not pop up for a few seconds:

Executed successfully in our/home/directory:

Ha ha... Done! (Thanks for saving Brother's help to guide!) )