无法 运行 BASH 在 PHP Exec 中以 Root 身份编写脚本
Unabel to Run BASH Script as Root in PHP Exec
我已编辑 sudoers 文件以允许无密码执行相关脚本:
wordpress ALL=(root) NOPASSWD: /home/vgnadmin/createnewsite
Defaults:wordpress !requiretty
这是应该执行命令的代码:
if ($_SERVER["REQUEST_METHOD"] == "POST" && $usernameerr == "" && $sitenameerr == "") {
$username=escapeshellarg($username);
$sitename=escapeshellarg($sitename);
exec("sudo /home/vgnadmin/createnewsite $username $sitename 2>&1", $output, $retval);
if ($retval == 1) {
echo "<h1>Script Failed.</h1><br>";
echo "Error Message:<br>";
foreach ($output as $line) {
echo "$line<br>";
}
但是在输入表单信息并尝试 运行 脚本时,我收到错误消息:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
我已经检查了 journalctl -xe 以查看该命令是否正在 运行,或者是否在服务器端产生了任何错误并且有 none。我错过了什么吗?
其他 sudo 运行 之外的命令都可以(例如 ls)。
检查你 php.ini 并搜索 disable_functions
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
如果你不在那里,你就很好。
现在检查 permission/ownership 命令将要更改的文件和目录。
使用 apache 或 www-data 用户更新所有权。
更改文件所有权。
根据您的评论,所有权是 wordpress apache,请尝试将用户 wordpress 添加到 sudo。
答案如下:
We use mpm-itk (version 2.4.7-02) with apache 2.4 and it works
perfectly. The only thing to consider here are the new configuration
directives
LimitUIDRange
and
LimitGIDRange
These directives define, which UIDs and GIDs mpm-itk can use (via
setuid/setguid). As you obviously want it to be able to become root,
your lower range must be ID 0. The following configuration will work
here:
<IfModule mpm_itk_module>
LimitUIDRange 0 6000
LimitGIDRange 0 6000
</IfModule>
Be aware, the the upper border should include all user UID/GID
combinations that you want to use within your configuration via
AssignUserID.
Note that you can configure this for each virtual host you have. Note
too, that you need a Linux kernel 3.5.0 or higher for this.
https://askubuntu.com/questions/491624/setresuid-operation-not-permitted-when-calling-via-php
在 RedHat 风格上,您需要手动将模块添加到 /etc/httpd/conf/httpd.conf(或您的 conf 文件所在的任何位置)。
我已编辑 sudoers 文件以允许无密码执行相关脚本:
wordpress ALL=(root) NOPASSWD: /home/vgnadmin/createnewsite
Defaults:wordpress !requiretty
这是应该执行命令的代码:
if ($_SERVER["REQUEST_METHOD"] == "POST" && $usernameerr == "" && $sitenameerr == "") {
$username=escapeshellarg($username);
$sitename=escapeshellarg($sitename);
exec("sudo /home/vgnadmin/createnewsite $username $sitename 2>&1", $output, $retval);
if ($retval == 1) {
echo "<h1>Script Failed.</h1><br>";
echo "Error Message:<br>";
foreach ($output as $line) {
echo "$line<br>";
}
但是在输入表单信息并尝试 运行 脚本时,我收到错误消息:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
我已经检查了 journalctl -xe 以查看该命令是否正在 运行,或者是否在服务器端产生了任何错误并且有 none。我错过了什么吗?
其他 sudo 运行 之外的命令都可以(例如 ls)。
检查你 php.ini 并搜索 disable_functions
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
如果你不在那里,你就很好。
现在检查 permission/ownership 命令将要更改的文件和目录。 使用 apache 或 www-data 用户更新所有权。 更改文件所有权。
根据您的评论,所有权是 wordpress apache,请尝试将用户 wordpress 添加到 sudo。
答案如下:
We use mpm-itk (version 2.4.7-02) with apache 2.4 and it works perfectly. The only thing to consider here are the new configuration directives
LimitUIDRangeand
LimitGIDRangeThese directives define, which UIDs and GIDs mpm-itk can use (via setuid/setguid). As you obviously want it to be able to become root, your lower range must be ID 0. The following configuration will work here:
<IfModule mpm_itk_module> LimitUIDRange 0 6000 LimitGIDRange 0 6000 </IfModule>Be aware, the the upper border should include all user UID/GID combinations that you want to use within your configuration via AssignUserID.
Note that you can configure this for each virtual host you have. Note too, that you need a Linux kernel 3.5.0 or higher for this. https://askubuntu.com/questions/491624/setresuid-operation-not-permitted-when-calling-via-php
在 RedHat 风格上,您需要手动将模块添加到 /etc/httpd/conf/httpd.conf(或您的 conf 文件所在的任何位置)。