I have a PHP script which is called by HTTP and not as command line script. This script should call a shell command as an other user than the current webserver user www-data.
Example:
<?php
echo shell_exec('sudo -u myusername -S /usr/bin/whoami'); // returns nothing :(
echo shell_exec('whoami'); // returns www-data
When calling this 2 commands sudo -u myusername -S /usr/bin/whoami
and whoami
directly on the commandline they return
myusername
www-data
Also no result on this:
<?php
echo shell_exec('echo "mypass" | sudo -u myusername -S /usr/bin/whoami');
For me it seems that sudo does not work at all together with PHPs shell_exec().
Firstly, I don't understand the sudo command you're running.
sudo -u username
is supposed to allow you, as user one, to sudo a command as user two, by saying (as user one, in this example, to run the command ls):I apologise if you've tried to sanitise your commands above by substituting
username
for the real username, but I can't be sure you have done, so I need to raise this point first.Secondly, sudo has to be configured to let a user perform a range of commands as another user. Let's start by allowing www-data to sudo the ls command as user fribble; you could test this by putting
in your sudoers file (substituting a real user as fribble). Then try doing, say,
ls -la /tmp
from inside your PHP script and see if you get a directory listing.I agree with James Lawrie that it's not a good idea to allow the www-data user to sudo arbitrary commands, as arbitrary users, passwordlessly, but if you clarify what commands you're trying to get www-data to run, this may be a sensible way to do it.
Edit:
you have tried with ls in the sudoers file and
sudo -u user2 ls -al /tmp
in the PHP script, and you get a directory listing, which strongly suggests that sudo works fine with PHP.To be sure, could you allow
/bin/touch
in the sudoers file, putsudo -u user2 touch /tmp/TESTFILE
in the PHP script, then execute that? If a file/tmp/TESTFILE
appears, owned by user2, we can be sure that sudo and PHP work fine togther.I must confess that if I had known that you were trying to sudo java, I would never have answered the original question, because I think java is a giant unpredictable sack of crap, which behaves like a complete baby if it doesn't get the environment it requires (and sudo fairly rigorously sanitises the environment). But at least the test above should help you be sure that, whatever the problem here is, it's not an issue with PHP and sudo not playing nicely together.
Don't allow the webserver user sudo access, you're just asking for trouble. Look into the setuid bit instead:
chmod u+s some_file_that_needs_executing_as_another_user.pl
Whenever that file is executed, it will be effectively executed by the user who created it.
On a side note, I'm pretty sure you can't pipe a password into sudo or passwd.
If you want to give special permissions to the web server process running as www-data user, you can do one of the following:
1- Add the www-data to sudoers file, so that it can execute the required command/script without asking for a password.
2- Enable the suexec apache module. This enables you to change the user from www-data to some other privileged user per virutal host. So, you don't need to change the user for the whole server.