How to call shell script from php that requires SUDO?

Asked 2/7, 2010 at 13:35 Answered 6/2, 2019 at 10:6

I have a file that is a bash script that requires SUDO to work.

I can run it from the command line using SUDO but I will be prompted to put in the SUDO password.

I want to run this script from php via shell_exec but I if I call SUDO, its not like a command line where I can be prompted for the password. Is there a way to pass the password for sudo with the sudo call?

How can I do this?

Lingenfelter answered 2/7, 2010 at 13:35 Comment(7)

By the way I am running this on my own ubunto 10.04 machine with apache2 and php5 – Lingenfelter 2/7, 2010 at 13:36

You should consider changing the permissions of the script. You could for example change the group to the apache user (www-data), and give the group execute permissions: chgrp www-data script.sh && chmod g+x script.sh. – Laudation 2/7, 2010 at 13:38

@danilo its not the file itself that requires the SUDO its what the files calls, which is svn commit but first I cd /var/www to call svn commit from the working copy. Is there a way I can add permissions to do that for apache user www-admin? – Lingenfelter 2/7, 2010 at 13:43

@John Isaacks: Ah. Take a look at the setuid bit: en.wikipedia.org/wiki/Setuid – Laudation 2/7, 2010 at 13:46

Why does svn commit need root? – Apollonius 2/7, 2010 at 14:0

@Stephen, I am new to all this so I don't know but it tells me permission denied unless I sudo it. – Lingenfelter 2/7, 2010 at 14:31

@John Isaacks : That is (almost) definitely a problem with your svn configuration. You don't want to start handing out root access to scripts to work around it, you'll end up with a mighty insecure system. Spend some time in the svn documentation to give yourself, and possibly "www-admin" access to sections of the svn repository. (I'd tell you myself, but it's been years since I've messed with svn) – Apollonius 2/7, 2010 at 14:48

Edit the sudoers file (with visudo) and add a rule that allows the web server user to run the command without a password. For example:

www-data ALL=NOPASSWD: /path/to/script

Aho answered 2/7, 2010 at 13:41 Comment(1)

@ClaudioFerraro As long as the web server runs as the www-data user, it will work for any web server. – Aluminiferous 11/6, 2019 at 16:25

There are various solutions for this problem.

First of all, consider changing the script permissions, if reason why you want sudo is simply a permission issue (see the comment I added to the question above).
~~Another approach would be using the setuid bit.~~ [Edit: Looks like setuid does not work well with scripts. For explananations, see this link.]
A third, but very insecure method is to read the password from a password file. Warning: This is very insecure, if there's any other possibility, don't do it. And if you do it, try hiding the password file somewhere in your folder hierarchy.
```
<?php
shell_exec('sudo -u root -S bash script.sh < /home/[user]/passwordfile');
?>
```
And a fourth possibility is to use the NOPASSWD tag in the sudoers file. You should limit this power to the specific commands you need.

Laudation answered 2/7, 2010 at 13:45 Comment(3)

Changing the script permission won't run it as root, and setuid doesn't work on scripts – Aho 2/7, 2010 at 18:6

No, it won't run it as root, but it would solve the issue if the reason for the sudo usage is simply the script not being executable. And about the setuid thing, looks like you're right. In that case, excuse my misinformation. I found an useful link about this topic: faqs.org/faqs/unix-faq/faq/part4/section-7.html – Laudation 2/7, 2010 at 22:6

omg. NEVER SAVE A PASSWORD THAT HAS ROOT ACCESS! This has never been good form. @Brian's answer is much better: no passwords used. – Vespasian 22/12, 2016 at 9:30

You can add something like this to your sudoers file:

username ALL=NOPASSWD: /path/to/script

This will allow that particular user to call sudo on that particular script without being prompted for a password.

Anserine answered 2/7, 2010 at 13:42 Comment(2)

This makes sense but one part confuses me... Where exactly do I put the line username ALL=NOPASSWD: /path/to/script What is my sudoers file? – Lingenfelter 2/7, 2010 at 13:46

In /etc/sudoers, though you usually use the visudo command to edit that file. – Anserine 2/7, 2010 at 13:58

The best secure method is to use the crontab. ie Save all your commands in a database say, mysql table and create a cronjob to read these mysql entreis and execute via shell_exec(). Please read this link for more detailed information.

  * * * * * killProcess.php

Dambrosio answered 6/2, 2019 at 10:6 Comment(0)

Recommended topics

Hot tags