Many a times we need to execute system commands on a Linux system – to delete a directory, or restart a service. However, since Apache does not run with root privileges, it is nearly impossible to use PHP’s exec(), system() or passthru() functions to achieve that.
The solution to this is very simple, specially on Ubuntu. The Apache’s user www-data need to be granted privileges to execute certain applications using sudo.
1. Run the command sudo visudo
2. At the end of the file, add the following
www-data ALL=NOPASSWD: /sbin/iptables, /usr/bin/du
This is assuming that you wish to run iptables and du using super user (root) privileges. However, if you wish to run every application using super user privileges, then add the following instead of what’s above
www-data ALL=NOPASSWD: ALL
3. That’s it, now use exec() in the following manner inside your .php script
exec ("sudo iptables -P FORWARD ACCEPT");
This has enabled me to execute scripts on my server for which I had to earlier use setuid and combination of cron and what not. But now, it’s as convenient from within PHP.
Vivek's blog 
Hi!, does anyone know the sintax to pass variables to the exec command in PHP ?, Im trying to pass a filename. exec (“cat $filename”) but does not seem to work.
Try using the complete path of the executable – i.e. exec(“/bin/cat $filename”) ; but you may need to use passthru() or system() function for the same.
sir im trying the same thng for web based firewall
<?php
$output = shell_exec('netstat -a ');
$t = shell_exec ("sudo iptables -P FORWARD ACCEPT");
echo "
“;
echo “
“;
?>
but sir netstat -a works
but sudo iptables -P FORWARD ACCEPT
www-data ALL=NOPASSWD: ALL
doesn’t work i tried what u wrote upwards
netstat is in /bin and is accessible to PHP.
iptables in /sbin and is not accessible to PHP. Try doing
sudo /sbin/iptables
instead of just
sudo iptables
sir i m using xampp can be so that www-data doesn’t work in this because i have disabled password of sudo so when i m executing from commandline it’s happening correctly but when i put in php script nothing happens
i m using xampp can be so that www-data doesn’t work in this because i have disabled password of sudo so when i m executing from commandline it’s happening correctly but when i put in php script nothing happens
Yes of course. Find out the user with which apache is running (ps aux|grep apache). Usually it is apache or www-data and maybe httpd also.
Dunno why, but for me it was ‘Daemon’. So I’d suggest you try it out using the command Vivek Kapoor suggests! 🙂
hi sir, i have a same problem like karan. i have paste “www-data ALL=NOPASSWD: ALL” in my etc/sudoers but still not working. i hope you can help me to solve it.
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
www-data ALL=NOPASSWD: ALL
i have change my coding, luckily i get some output but the password not correct even i try all password.
@aravin: First, there should not be any need to enter the password if you’re using NOPASSWD. what I’d recommend is
a) ensure that the web server is running through the user www-data. if something else, you need to change accordingly while doing visudo
b) Instead of using ALL after NOPASSWD, just use the specific command that you wish to execute. if you can tell me what you’re trying to do, I can help further.
i try to write php script to allow or deny ip address using ufw in ubuntu and i my php script is like this:
&1″);
echo “
“;
?>
i check my apache:
aravin@ubuntu:~$ ps aux|grep apache
aravin 7478 0.0 0.0 3336 804 pts/1 S+ 07:57 0:00 grep apache
thanks because you want to help me. i’m really on trouble right know.
@aravin: Which OS are you using? try doing ps aux|grep http
i’m using ubuntu 9.04
aravin@ubuntu:~$ ps aux|grep http
root 4839 0.0 1.2 49892 13028 ? Ss 06:50 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
nobody 4990 0.0 0.6 46248 6412 ? S 06:50 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
nobody 5041 0.0 1.0 50232 11136 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
nobody 5042 0.0 1.0 50232 11136 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
nobody 5043 0.0 1.0 50232 11136 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
nobody 5046 0.0 1.0 50232 11148 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
nobody 5086 0.0 1.0 50232 11136 ? S 06:56 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
nobody 6879 0.0 1.0 50232 11136 ? S 07:32 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
aravin 8046 0.0 0.0 3336 800 pts/1 S+ 08:15 0:00 grep http
sir i solve it.. i change “www-data ALL=NOPASSWD: ALL” to “nobody ALL=NOPASSWD: ALL”
thank you sir because helping me.
You might not want to do that, not for ALL commands, very dangerous.
sir i did as u said
karan 6879 0.0 0.0 3040 780 pts/1 S+ 15:29 0:00 grep –color=auto apache
then i did ===
then also variable t has not shown output
plz help me my project deadline is coming
@karan – try
ps aux|grep http
What Linux distribution is your server running? CentOS/Ubuntu/Debian/Redhat?
the output of ps aux|grep http is :-
karan 2173 0.0 0.0 3040 768 pts/0 R+ 17:55 0:00 grep –color=auto http
sir im using ubuntu os
@karan: Is the web server located on your machine? I mean is apache running on your machine? Also, in Ubuntu the process name by default is apache being run by user www-data. But you mentioned above that you are using xampp – maybe the user has changed there, so it could be be nobody also.
Do
ps aux|grep nobody
on the system which is running xampp. or rather what you can do is, you can do visudo and test with different users
apache
nobody
www-data
and see if that’s working. Remember, the web server has to run on the same machine as the iptables. And you’ll do visudo on that server only.
i finally got executing iptables command by doing
<?php
shell_exec('sudo -u root -S command_goes_here
for executing scripts
and it was some permission issue also
firstly i added all www-data ALL=NOPASSWD: /sbin/iptables, /usr/bin/du
apache ALL=NOPASSWD
nobody ALL=NOPASSWD
then the folder opt/lampp/htdocs/w w where my files are have to set the permission from user:root to user:www-data using chown command that all the scripts started to run properly then
thanx for your help me
Thanks!
Executar comandos com privilégios de root via PHP Adobe Flex, Adobe AIR, Zend Framework, PHP e muito mais.
Hi there! Do you know if they make any plugins to safeguard
against hackers? I’m kinda paranoid about losing everything I’ve worked hard on.
Any tips?
I had problem such as Karan.
I solve it added in file /etc/sudoers follow line :
Defaults !authenticate
hi i am having a similar problem as of arvind. I am not able to run sudo commands from PHP i have tried all the above suggestions, i am trying to do a simple example of making a directory,Please help
ex:
<?php
$msg = shell_exec("sudo mkdir /xyz");
sleep(5);
echo "
“;
?>
If some one needs to be updated with most recent technologies therefore he must be visit this site and be up to
date everyday.
And if you want to know what is the path for your command,
ex1.:- command `mount`,
type `which mount` in terminal and
it gives the path as `/bin/mount`
ex2:-which reload
gives the path as /sbin/reload
so in visudo file you can add the path correctly.
www-data ALL=NOPASSWD: /bin/mount
and
www-data ALL=NOPASSWD: /sbin/reload
YOU HAVE SAVED MY LIFE.
I needed this information for a project I’m doing. I’ve been looking for an answer for weeks and configuring visudo was the answer.
Thank you so much.
Thank , help me a lot……
Thank you very much !!!!
hi, i use the system-function like this:
$info = explode(‘/’,system(“file -bi — “.$_FILES[‘image’][‘tmp_name’]));
to extract the file type of the uploaded file, and check if it is either video or image. this works great as long as no subdomains are involved in the url. As soon as the url contains a subdomain, the $info array is just empty, even though, if i let the $_FILES[‘image’][‘tmp_name’] be echoed, its still there. Trying to figure this out for two days now, but no avail. Do you have an idea?
cheers
Execute system commands via PHP | tediscript.wordpress.com
I think it is a very dangerous idea to let your PHP can run as a sudo user.