D'oh. I wondered why I got that email while I was driving. Thanks for the security tip. I had actually planned on protecting those scripts after I was done getting them to work. I removed the shebang, verified the script still works from the command line but it still doesn't work with Cron. I tried adding `which php5` and that didn't work. If I run it as php, then I'm stuck using php4, so that's not really an option. Cron works on the server because I have several perl scripts running through cron with no problems. In fact, I would probably give up on this given the problems I'm having and write in perl, but the perl modules for Amazon's S3 service are poorly documented and I was not able to figure them out. There are no cron logs and the output is not sent to me after a job has completed. -----Original Message----- From: Daniel Brown [mailto:parasane@xxxxxxxxx] Sent: Wednesday, February 06, 2008 7:52 AM To: Robbert van Andel Cc: php-general@xxxxxxxxxxxxx Subject: Re: PHP CLI Problem On Feb 6, 2008 1:55 AM, Robbert van Andel <robbert@xxxxxxxxx> wrote: [snip] > First off, the script runs great from the command line when I type "php5 > backup.php" but when I type ./backup.php I get an error: "bash: > ./backup.php: No such file or directory". I thought maybe this is a problem > with the top declaration in the script "#!/usr/local/bin/php5". The problem > is that it appears the server has several php5s I can reference See my note on this paragraph later in the message. And more importantly, see the addendum "SECURITY NOTICE" at the tail-end of this email. > /usr/local/apache/share/cgi-bin/php5 > /usr/local/bin/php5 > > But it doesn't matter which one I put at the top of the script, I get the > same error. In this case, use /usr/local/bin/php5, which will almost undoubtedly be compiled as a CLI object, while the ../apache/share/cgi-bin/php5 is most likely a CGI binary or (less likely) Apache module. However, keep this part in mind, as with the first paragraph, for later in the message. > Okay, so I can live with having to type "php5 backup.php". However, when I > try to make a cron job from the script, the script never runs. The crontab > entry looks like this > 1 0 * * 2 php5 > /kunden/homepages/23/d117947228/htdocs/oregonswimming/administration/backup/ > backup.php > backup.log In your cronjob, replace the php5 entry with the following (including the backticks): `which php5` If that still doesn't work, replace it simply with php, not php5: `which php` This allows BASh/Shell to execute the eval'd command typed within the backticks. > I know the backup never runs because I redirect the output to a file and > have an email sent to me upon conclusion of the script. The log file > doesn't show anything nor do I ever receive an email. My web host will not > provide any support for scripting, so I'm hoping someone here can help. Are you certain that the user under which the script is executed via cron is yourself? On rare occasions (some BSD boxes, Cobalt RaQ RHL variants, et cetera), cron will not always run as the local user. It may run as 'cron', 'crond', 'daemon', 'nobody', 'unpriv', 'anon', or as whomever the sysop has it configured. > Questions: > * How do I determine what to put at the top of the script so that I can just > call "backup.php"? Doing that is not such a great idea, and here's where the first two paragraphs come into play: remove the interpreter designation line (the first line, containing the #! characters). Make sure the script is enclosed in <?php ?> tags. You can find scripts that written to specifically run as crons that instead have the interpreter designator, but it's just one more thing you'll have to manually change when porting from one system to another, or if your host updates their configuration. PLUS: Keep in mind that, even when using an interpreter designator, you *still* have to enclose your code in the <?php ?> tags (or, if short_open_tags is on, which it probably is, just use <? ?> tags). Why? Because PHP is set to parse *only* code between those tags, and even if you run the CLI with the -r flag (which allows you to run code without the <? ?> tags), it will only run /one line/ of code per call. (See: `which php` --help -OR- `which php5` --help) So if you absolutely want to run it as ./backup.php from the local directory, or /kunden/homepages/23/d117947228/htdocs/oregonswimming/administration/backup/ backup.php, here are the steps to do so: 1.) chmod 755 /kunden/homepages/23/d117947228/htdocs/oregonswimming/administration/backup/ backup.php 2.) Line 1 (backup.php): #!/usr/local/bin/php5 (or whatever 'which php5' or 'which php' says - no backticks here) 3.) Enclose your code in <? ?> tags, not including the interpreter designator (first line). > * What, if anything, do I need to do to make the script work from cron? See above answers. ==== SECURITY NOTICE ==== Here are some things to consider in this specific situation: 1.) NEVER disclose full server path information as you did in your email. From that, I was easily able to discover the domain name, based upon the fact that Oregon is a US state and "swimming" would indicate the interests were most likely of a group or charitable ORGanization. ;-P 2.) It's always a Bad Idea[tm] to place crons of that nature in the web path. I was able to run the cron without the need of logging into your admin panel, because there was no security to stop me. And while all it will do is create a backup of your databases in this particular case, the output from that file also gives me *highly sensitive*, critical information about the location of web path information, and ABSOLUTE WORST - gives me full access to all of your database information in plain-text, and even a convenient zip file. ACTION ITEMS: 1.) *IMMEDIATELY* move the 'backups' directory out of the webroot. Place it somewhere like /kunden/homepages/23/d117947228/db-backups/ or even /kunden/homepages/23/d117947228/crons/. Make sure to update any scripts that rely on the webroot-located backups directory. Otherwise, you WILL have data stolen. This list is archived on the web all over, and it will only be a matter of time before some script kiddie decides you're an easy target. Hope that helps. -- </Dan> Daniel P. Brown Senior Unix Geek <? while(1) { $me = $mind--; sleep(86400); } ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
