Re: Apache user can't use exec(), passthru(), etc.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, March 21, 2005 8:20 pm, Jim Poserina said:
> If I run this PHP script:
> <?php
> echo '<pre>';
> echo exec('whoami');

The first most biggest thing wrong is that you aren't using the additional
arguments to exec() to find out what your output is, and if your command
generated an error.

For starters, I'm betting that at least one of the following is true:
whoami is not in the $PATH/$path of the PHP user.
whoami is not executable by the PHP user.

You'll never find out which unless you use the extra args to exec

http://php.net/exec

> echo '</pre>';
> ?>
>
> from the web, the output is
>
> <pre></pre>and from the command line running as the apache user(webuser),
> the output is.
> Content-type: text/html
> X-Powered-By: PHP/4.3.9
>
> <pre></pre>

EXCELLENT attempt to diagnose this, though!

> But if I run from the command line as root, the output is:
>
> Content-type: text/html
> X-Powered-By: PHP/4.3.9
>
> <pre>root</pre>and from the command line as a user in the root group, the
> output is:
> Content-type: text/html
> X-Powered-By: PHP/4.3.9
>
> <pre>jimpoz</pre>Safe mode is turned off. As webuser (or any
> non-root-group
> user), no shell commands work. Not echo, not ls, not whoami, not touch.
> And
> no shell functions work: no exec(), no passthru(), no shell_exec(), no
> backticks. Every command I'm trying to run is world-readable and
> world-executable.

But are they in the $path of webuser?

Use the full path to them if they aren't

exec("/bin/whoami", $output, $error);
if ($error) echo ("OS Error: $error.<br />\n");
echo implode("<br />", $output);

> If I turn safe mode on, it gives me a "safe mode is on" warning only about
> lines that call shell_exec(), and not for exec() or any of the others.
> Other
> than that, it doesn't hang or give any kind of error or anything when it
> comes to a shell function call; apparently it just ignores them.

No, it tries to run them, and fails, and provides the error messages and
error number in the variables you aren't using :-)

Some days, I think the PHP Dev Group should just make those arguments to
exec() required.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux