1

We have a small office intranet, built in PHP (on an apache server - so WAMP), that allows us to create project folders on our file server. This works by copying a set of template folders to a new location using the shell exec xcopy command and the following switches /e /k /i /c.

We (fairly) recently upgraded to a new file server running Windows Server 2008 R2 Standard. Now the xcopy command no longer works from within PHP. However, I know that the xcopy command is correct because it works if I copy and paste it into a command prompt (on the same machine).

I can see no error message but I assume this is some kind of permissions issue related to the PHP 'user', but I don't know exactly what or how to solve it.

The apache server and the file server are two separate machines. If it's relevant, the apache server is a 32bit machine and the file server is a 64bit machine but, as I say, I can invoke the xcopy command from the CLI of the 32bit machine without a problem.

The Apache process user name is SYSTEM (although I can't seem to use the 'whoami' command to check this)

Any pointers would be greatly appreciated.

FWIW, the exec string looks like this...

echo "xcopy \"\\\\path\\to\\folder\\xxxx_Project\\*.*\" \"\\\\path\\to\\folder\\9876_NEWPROJECT\" /e /k /i /c";

which (I think) materializes as this...

xcopy "\\path\to\folder\xxxx_Project\*.*" "\\path\to\folder\9876_NEWPROJECT" /e /k /i /c

Obviously, the '9876_NEWPROJECT bit is really a variable.

Strawberry
  • 32,714
  • 12
  • 37
  • 56
  • Have you set the appropriate `file/folder` permissions ? – Pedro Lobito Jan 08 '14 at 12:41
  • @strawberry take a look at : http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/ – Pedro Lobito Jan 08 '14 at 12:52
  • I'm confused: is the PHP/Apache server and the "file server" the same machine or 2 different servers? – Digital Chris Jan 08 '14 at 13:24
  • Yes, sorry, I deleted that first comment, I was assuming LAMP server to Windows File server. Is this actually Windows Server to other Windows Server? Or copying files all located on one server? – Digital Chris Jan 08 '14 at 13:28
  • OK then I don't know how it ever worked before running as SYSTEM. See here: http://stackoverflow.com/questions/3622089/windows-service-cant-access-network-share – Digital Chris Jan 08 '14 at 13:32
  • I thought the fact that I was running an exec command by-passed all this stuff. Exec is supposed to be the same as issuing the command from the shell, right?!?!? If it works from the shell then it should work from PHP. – Strawberry Jan 08 '14 at 13:41
  • Did you try specifying the full path to xcopy.exe? Maybe you could add the line of php code you're using? – klugerama Jan 10 '14 at 21:53
  • Remember. It used to work. The only thing that changed was the file server. – Strawberry Jan 10 '14 at 22:19
  • did you: a) check the error logs b) try another exec command, to see if exec works as expected c) try to catch the error, maybe something like: `&1 '); ?>` – birgire Jan 10 '14 at 22:53
  • Do you get any error from `&1'); ?>`, where asdf is a non existing command ? – birgire Jan 10 '14 at 23:00
  • The apache error log shows no error and nothing gets returned to the screen. I'll try with get_current_user and report back. – Strawberry Jan 13 '14 at 10:53

2 Answers2

5

get_current_user() will confirm the user your script runs as.

Then try to manually execute your command as this user with runas (or if your user really is SYSTEM then you will need something like psexec to do so).

Now, assuming that your script actually runs as SYSTEM, it is very likely that this user is not authorised on the remote file server. I don't think it is even possible to do that (except, perhaps, by allowing "Everyone"). If it is, I am not sure this is a good idea anyways.

I would instead run the apache service as a regular user, and on the file server, grant access to this user.

Alternatively, you could mount the remote location as a network drive (not tested, other answers in the thread might help too).

Community
  • 1
  • 1
RandomSeed
  • 27,760
  • 6
  • 45
  • 82
  • Thanks. I can't check this right now, but I'm sure it is a permissions issue. As such, I have a feeling that your suggestions are sure to fix it! – Strawberry Jan 13 '14 at 15:22
5

OK. I seem to have got it working. Here's what I did - tell me if it's a bad idea although I should point out that this is an intranet so I'm a little less concerned about security...

  1. Go to Control Panel->Administrative Tools_>Services

  2. Select the Apache service and hit Properties

  3. On the Log On tab, click 'This account:' instead of 'Local System account', and then find the User account of Windows user who's normally logged on to that terminal

  4. Restart Apache

I also amended the user info in the httpd.conf file, but I'm not actually certain that that was necessary.

If there's a better solution, that can be explained in words of two syllables or less, I'm all ears!

Strawberry
  • 32,714
  • 12
  • 37
  • 56
  • That's actually the recommended approach (see in the link I pushed earlier: "It is recommended that users create a separate account for running Apache service(s)."). – RandomSeed Jan 15 '14 at 13:27
  • Thanks - that's where I drew my inspiration from :-) - but it doesn't seem quite right using a domain user in this way. (I should stress that that's an opinion based on ignorance rather than anything else) – Strawberry Jan 15 '14 at 13:39
  • Why? A "domain user" does not need to be a physical user. I would even create a new user for Apache only. After all, the same approach is used under Linux (eg. `www-data`). – RandomSeed Jan 15 '14 at 14:12
  • OK. I think I need to speak to my IT people about setting up a new user. But that sounds like a sensible idea. – Strawberry Jan 15 '14 at 15:09
  • Thanks for the idea where to look, for me it was enough to check "Allow service to interact with desktop" – user Dec 25 '15 at 00:10
  • You saved my day buddy <3 – vichu Jun 27 '18 at 17:16