46

I have a file that is a bash script that requires SUDO to work.

I can run it from the command line using SUDO but I will be prompted to put in the SUDO password.

I want to run this script from php via shell_exec but I if I call SUDO, its not like a command line where I can be prompted for the password. Is there a way to pass the password for sudo with the sudo call?

How can I do this?

JD Isaacks
  • 51,154
  • 89
  • 267
  • 413
  • By the way I am running this on my own ubunto 10.04 machine with apache2 and php5 – JD Isaacks Jul 02 '10 at 13:36
  • You should consider changing the permissions of the script. You could for example change the group to the apache user (www-data), and give the group execute permissions: `chgrp www-data script.sh && chmod g+x script.sh`. – Danilo Bargen Jul 02 '10 at 13:38
  • @danilo its not the file itself that requires the SUDO its what the files calls, which is `svn commit` but first I `cd /var/www` to call svn commit from the working copy. Is there a way I can add permissions to do that for apache user www-admin? – JD Isaacks Jul 02 '10 at 13:43
  • 1
    @John Isaacks: Ah. Take a look at the setuid bit: http://en.wikipedia.org/wiki/Setuid – Danilo Bargen Jul 02 '10 at 13:46
  • 1
    Why does `svn commit` need root? – Stephen Jul 02 '10 at 14:00
  • @Stephen, I am new to all this so I don't know but it tells me permission denied unless I sudo it. – JD Isaacks Jul 02 '10 at 14:31
  • 1
    @John Isaacks : That is (almost) definitely a problem with your svn configuration. You don't want to start handing out root access to scripts to work around it, you'll end up with a mighty insecure system. Spend some time in the svn documentation to give yourself, and possibly "www-admin" access to sections of the svn repository. (I'd tell you myself, but it's been years since I've messed with svn) – Stephen Jul 02 '10 at 14:48
  • @Stephen Thanks for the info. – JD Isaacks Jul 02 '10 at 20:14

4 Answers4

48

Edit the sudoers file (with visudo) and add a rule that allows the web server user to run the command without a password. For example:

www-data ALL=NOPASSWD: /path/to/script
Brian
  • 15,450
  • 4
  • 44
  • 62
8

There are various solutions for this problem.

  • First of all, consider changing the script permissions, if reason why you want sudo is simply a permission issue (see the comment I added to the question above).

  • Another approach would be using the setuid bit. [Edit: Looks like setuid does not work well with scripts. For explananations, see this link.]

  • A third, but very insecure method is to read the password from a password file. Warning: This is very insecure, if there's any other possibility, don't do it. And if you do it, try hiding the password file somewhere in your folder hierarchy.

    <?php
shell_exec('sudo -u root -S bash script.sh < /home/[user]/passwordfile');
?>

  • And a fourth possibility is to use the NOPASSWD tag in the sudoers file. You should limit this power to the specific commands you need.

Danilo Bargen
  • 15,862
  • 15
  • 79
  • 111
  • Changing the script permission won't run it as root, and setuid doesn't work on scripts – Brian Jul 02 '10 at 18:06
  • No, it won't run it as root, but it would solve the issue if the reason for the sudo usage is simply the script not being executable. And about the setuid thing, looks like you're right. In that case, excuse my misinformation. I found an useful link about this topic: http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html – Danilo Bargen Jul 02 '10 at 22:06
  • 2
    omg. NEVER SAVE A PASSWORD THAT HAS ROOT ACCESS! This has never been good form. @Brian's answer is much better: no passwords used. – cmroanirgo Dec 22 '16 at 09:30
5

You can add something like this to your sudoers file:

username ALL=NOPASSWD: /path/to/script

This will allow that particular user to call sudo on that particular script without being prompted for a password.

Daniel Egeberg
  • 8,229
  • 29
  • 44
0

The best secure method is to use the crontab. ie Save all your commands in a database say, mysql table and create a cronjob to read these mysql entreis and execute via shell_exec(). Please read this link for more detailed information.

  * * * * * killProcess.php
Sanjay Kumar N S
  • 4,165
  • 3
  • 18
  • 34