Execute system commands via PHP

Many a times we need to execute system commands on a Linux system – to delete a directory, or restart a service. However, since Apache does not run with root privileges, it is nearly impossible to use PHP’s exec(), system() or passthru() functions to achieve that.

The solution to this is very simple, specially on Ubuntu. The Apache’s user www-data need to be granted privileges to execute certain applications using sudo.

1. Run the command sudo visudo

2. At the end of the file, add the following

www-data ALL=NOPASSWD: /sbin/iptables, /usr/bin/du

This is assuming that you wish to run iptables and du using super user (root) privileges. However, if you wish to run every application using super user privileges, then add the following instead of what’s above

www-data ALL=NOPASSWD: ALL

3. That’s it, now use exec() in the following manner inside your .php script

exec ("sudo iptables -P FORWARD ACCEPT");

This has enabled me to execute scripts on my server for which I had to earlier use setuid and combination of cron and what not. But now, it’s as convenient from within PHP.

Advertisements

34 thoughts on “Execute system commands via PHP

  1. Hi!, does anyone know the sintax to pass variables to the exec command in PHP ?, Im trying to pass a filename. exec (“cat $filename”) but does not seem to work.

  2. sir im trying the same thng for web based firewall
    <?php
    $output = shell_exec('netstat -a ');
    $t = shell_exec ("sudo iptables -P FORWARD ACCEPT");
    echo "

    $output

    “;
    echo “

    $t

    “;
    ?>
    but sir netstat -a works
    but sudo iptables -P FORWARD ACCEPT

    www-data ALL=NOPASSWD: ALL
    doesn’t work i tried what u wrote upwards

  3. sir i m using xampp can be so that www-data doesn’t work in this because i have disabled password of sudo so when i m executing from commandline it’s happening correctly but when i put in php script nothing happens

  4. i m using xampp can be so that www-data doesn’t work in this because i have disabled password of sudo so when i m executing from commandline it’s happening correctly but when i put in php script nothing happens

  5. hi sir, i have a same problem like karan. i have paste “www-data ALL=NOPASSWD: ALL” in my etc/sudoers but still not working. i hope you can help me to solve it.

    Defaults env_reset
    # Host alias specification
    # User alias specification
    # Cmnd alias specification
    # User privilege specification
    root ALL=(ALL) ALL
    # Uncomment to allow members of group sudo to not need a password
    # (Note that later entries override this, so you might need to move
    # it further down)
    # %sudo ALL=NOPASSWD: ALL
    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    www-data ALL=NOPASSWD: ALL

  6. @aravin: First, there should not be any need to enter the password if you’re using NOPASSWD. what I’d recommend is

    a) ensure that the web server is running through the user www-data. if something else, you need to change accordingly while doing visudo

    b) Instead of using ALL after NOPASSWD, just use the specific command that you wish to execute. if you can tell me what you’re trying to do, I can help further.

  7. i try to write php script to allow or deny ip address using ufw in ubuntu and i my php script is like this:

    &1″);
    echo “

    $output

    “;
    ?>

    i check my apache:

    aravin@ubuntu:~$ ps aux|grep apache
    aravin 7478 0.0 0.0 3336 804 pts/1 S+ 07:57 0:00 grep apache

    thanks because you want to help me. i’m really on trouble right know.

  8. i’m using ubuntu 9.04

    aravin@ubuntu:~$ ps aux|grep http
    root 4839 0.0 1.2 49892 13028 ? Ss 06:50 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    nobody 4990 0.0 0.6 46248 6412 ? S 06:50 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    nobody 5041 0.0 1.0 50232 11136 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    nobody 5042 0.0 1.0 50232 11136 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    nobody 5043 0.0 1.0 50232 11136 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    nobody 5046 0.0 1.0 50232 11148 ? S 06:53 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    nobody 5086 0.0 1.0 50232 11136 ? S 06:56 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    nobody 6879 0.0 1.0 50232 11136 ? S 07:32 0:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
    aravin 8046 0.0 0.0 3336 800 pts/1 S+ 08:15 0:00 grep http

  9. sir i solve it.. i change “www-data ALL=NOPASSWD: ALL” to “nobody ALL=NOPASSWD: ALL”

    thank you sir because helping me.

  10. sir i did as u said
    karan 6879 0.0 0.0 3040 780 pts/1 S+ 15:29 0:00 grep –color=auto apache

    then i did ===

    then also variable t has not shown output
    plz help me my project deadline is coming

  11. the output of ps aux|grep http is :-

    karan 2173 0.0 0.0 3040 768 pts/0 R+ 17:55 0:00 grep –color=auto http

    sir im using ubuntu os

  12. @karan: Is the web server located on your machine? I mean is apache running on your machine? Also, in Ubuntu the process name by default is apache being run by user www-data. But you mentioned above that you are using xampp – maybe the user has changed there, so it could be be nobody also.

    Do
    ps aux|grep nobody
    on the system which is running xampp. or rather what you can do is, you can do visudo and test with different users

    apache
    nobody
    www-data

    and see if that’s working. Remember, the web server has to run on the same machine as the iptables. And you’ll do visudo on that server only.

  13. i finally got executing iptables command by doing
    <?php
    shell_exec('sudo -u root -S command_goes_here

    for executing scripts
    and it was some permission issue also
    firstly i added all www-data ALL=NOPASSWD: /sbin/iptables, /usr/bin/du
    apache ALL=NOPASSWD
    nobody ALL=NOPASSWD

    then the folder opt/lampp/htdocs/w w where my files are have to set the permission from user:root to user:www-data using chown command that all the scripts started to run properly then

    thanx for your help me

  14. Executar comandos com privilégios de root via PHP Adobe Flex, Adobe AIR, Zend Framework, PHP e muito mais.

  15. Hi there! Do you know if they make any plugins to safeguard
    against hackers? I’m kinda paranoid about losing everything I’ve worked hard on.
    Any tips?

    • hi i am having a similar problem as of arvind. I am not able to run sudo commands from PHP i have tried all the above suggestions, i am trying to do a simple example of making a directory,Please help

      ex:
      <?php
      $msg = shell_exec("sudo mkdir /xyz");
      sleep(5);
      echo "

      $msg

      “;
      ?>

  16. And if you want to know what is the path for your command,

    ex1.:- command `mount`,
    type `which mount` in terminal and
    it gives the path as `/bin/mount`

    ex2:-which reload
    gives the path as /sbin/reload

    so in visudo file you can add the path correctly.
    www-data ALL=NOPASSWD: /bin/mount
    and
    www-data ALL=NOPASSWD: /sbin/reload

  17. YOU HAVE SAVED MY LIFE.
    I needed this information for a project I’m doing. I’ve been looking for an answer for weeks and configuring visudo was the answer.

    Thank you so much.

  18. hi, i use the system-function like this:

    $info = explode(‘/’,system(“file -bi — “.$_FILES[‘image’][‘tmp_name’]));

    to extract the file type of the uploaded file, and check if it is either video or image. this works great as long as no subdomains are involved in the url. As soon as the url contains a subdomain, the $info array is just empty, even though, if i let the $_FILES[‘image’][‘tmp_name’] be echoed, its still there. Trying to figure this out for two days now, but no avail. Do you have an idea?
    cheers

  19. Execute system commands via PHP | tediscript.wordpress.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s