This forum is in archive mode. You will not be able to post new content.
Pages: [1]

Author Topic: Running shell scripts with PHP - How to change user from www-data  (Read 1162 times)

0 Members and 1 Guest are viewing this topic.

Offline m0l0ko

  • Peasant
  • *
  • Posts: 129
  • Cookies: -4
    • View Profile
Running shell scripts with PHP - How to change user from www-data
« on: September 11, 2013, 10:17:43 PM »
So I'm writing a PHP script which browses directories and makes lists of the files it finds there. The directories I want to browse aren't inside /var/www/ so to bypass the fact that PHP is confined to the www folder, I get PHP to run:
Code: [Select]
exec('ls -l -A /whatever/dir')This works with most folders, but wont work with the /home/ folder or other folders like truecrypt drives because the user www-data doesn't have permission to read these directors. How can I bypass this?  First thing that comes to mind is to get the script to run "su root" but theres no way to supply the password to the command, you can only enter the password when the prompt comes up.  Is there a way to get the script to wait for the prompt, then enter the password?
Report to moderator   Logged

Offline m0l0ko

  • Peasant
  • *
  • Posts: 129
  • Cookies: -4
    • View Profile
Re: Running shell scripts with PHP - How to change user from www-data
« Reply #1 on: September 14, 2013, 08:59:40 PM »
I figured out how to do this. Theres a PHP function called proc_open which lets you run a process and pipe data to and from it. Heres what I did:

Code: [Select]
$descriptors = array(

        0 => array("pipe", "r"),
        1 => array("pipe", "w"),
        2 => array("pipe", "w"),
        3 => array("pipe", "r")
    );

$cwd = './'
$process = proc_open('/bin/sh', $descriptors, $pipes, $cwd) ;

if (is_resource($process)) {

  fwrite($pipes[0], 'sudo command') ;
  fclose($pipes[0]) ;
 
  fwrite($pipes[2], 'ENTER SUDO PASSWORD HERE') ;
  fclose($pipes[2]) ;

  // print pipe output
  //echo stream_get_contents($pipes[1]) ;

  // close pipe
  fclose($pipes[1]) ;

  proc_close($process) ;
}

I realized I didn't need to change user, but you could just as easily pipe in "su -l user -p" to $pipe[0]. I'm not entirely sure how the script works, I piped the password into $pipe[2] but I don't know if I could have used $pipe[0] instead or what.


Also another possible way to run sudo commands with PHP would be to get PHP to run an expect script, but it seems to be a pain in the ass, I couldn't get it to work myself.
« Last Edit: September 14, 2013, 09:01:59 PM by m0l0ko »
Report to moderator   Logged

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Running shell scripts with PHP - How to change user from www-data
« Reply #2 on: September 15, 2013, 10:17:29 PM »
PHP is not confined to your www folder. PHP is restricted by the PHP configuration and user permissions (the permissions of the PHP process owner).

Depending on whether or not you want this to run as a web application or a script, you can easily just su to whatever user you want and run the script as that user. And also, if you just want to list all files and folders, consider using find instead. You can also do this with the in-built directory functions in PHP (http://www.php.net/manual/en/ref.dir.php).
Report to moderator   Logged
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true
Pages: [1]
 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.