473,326 Members | 2,192 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Help with passthru()

Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
Aug 27 '08 #1
5 1561
amalprakash3220 wrote:
Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
You can do it, with the right authority. But you need to be very
careful - one slip and you can open your system to hackers with all
kinds of possibilities.

You might look into webmin - it does much of that already, and is
probably more secure than you (or any one person) would write yourself.
And there are others out there, also (some commercial).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 27 '08 #2
Jerry Stuckle wrote:
amalprakash3220 wrote:
>Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?

You can do it, with the right authority.
Can you elaborate on this a bit.

I wanted to run some ImageMagick commands through an exec and ran
into permissions issues. Yet, I could do stuff like ls -al. Is this an
ownership issue or what?

But you need to be very
careful - one slip and you can open your system to hackers with all
kinds of possibilities.

You might look into webmin - it does much of that already,
I don't believe that there is anyone who really understands webmin.
There's a handful of things that I can do in it, but mostly it's
inscrutable. Easier to use a command line. I spent a couple weeks trying
to figure it out and gave up.

I'd like the same thing. Haven't had time yet to learn bash scripting.

Jeff
and is
probably more secure than you (or any one person) would write yourself.
And there are others out there, also (some commercial).
Aug 27 '08 #3
Jeff wrote:
Jerry Stuckle wrote:
>amalprakash3220 wrote:
>>Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?

You can do it, with the right authority.

Can you elaborate on this a bit.
Just what I said. You need to study up on Unix security and understand
how it works. Then the web server user (if you're using PHP as a
module) must have permission to perform the requested operations.

Alternatively you can allow PHP to change it's uid, but that's so
dangerous you shouldn't even think about it.
I wanted to run some ImageMagick commands through an exec and ran into
permissions issues. Yet, I could do stuff like ls -al. Is this an
ownership issue or what?
Ownership and permissions.
But you need to be very
>careful - one slip and you can open your system to hackers with all
kinds of possibilities.

You might look into webmin - it does much of that already,

I don't believe that there is anyone who really understands webmin.
There's a handful of things that I can do in it, but mostly it's
inscrutable. Easier to use a command line. I spent a couple weeks trying
to figure it out and gave up.
I've been using it for quite a while. While I do most of my
administration from the command line (because I started doing it long
before tools like webmin existed), it does have its uses. And if you're
going to get into system stuff like user administration (which often
requires root access), it's much more secure than a module you do
yourself. I mainly use it when I need to do something but don't have
ssh access available (like when I'm at a client site).

It has its uses.
I'd like the same thing. Haven't had time yet to learn bash scripting.

Jeff
and is
>probably more secure than you (or any one person) would write
yourself. And there are others out there, also (some commercial).
System security is nothing to fool with. Even if you know all about it
(which I don't think any one person does), it's still very easy to miss
something. And if a hacker gets it, he can do virtually anything he
wants - from using your server to distribute spam, virii, etc., to
completely wiping out your server. He can even change your passwords so
you're locked out of your own system. Then it's generally time to wipe
the system and reload it from scratch. A lot of hassle for one small error!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 27 '08 #4
On Aug 27, 11:58 am, amalprakash3220 <amalprakash3...@gmail.com>
wrote:
Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
I had a dedicated directory for scripts to be run by the webapp; you
might try looking into setuid to give things just enough permissions
to accomplish what you need or, failing that, use sudo.

I know people will complain it's a security issue (and it is), but
doing system administration over a webserver will never not be a
security risk.

Luckily, in my case, it was a server on our intranet, and I wasn't
doing system administration, I was simply running a few tasks that
couldn't be run as the apache user.

Aug 28 '08 #5
Michael Vilain wrote:
In article
<05**********************************@j22g2000hsf. googlegroups.com>,
fred <fr*******@gmail.comwrote:
>On Aug 27, 11:58 am, amalprakash3220 <amalprakash3...@gmail.com>
wrote:
>>Hi,
I want to implement a Web based System administration page in PHP. I'm
planning to use apache server, mySQL and Ubuntu/debian. Can I
implement it using the functions passthru(),exec() and system(). I
want it to have functions like creating user accounts,changing file
permissions and all that you can do using linux commands.What is the
best way to do it ? Can it be done without using perl ?
I had a dedicated directory for scripts to be run by the webapp; you
might try looking into setuid to give things just enough permissions
to accomplish what you need or, failing that, use sudo.

I know people will complain it's a security issue (and it is), but
doing system administration over a webserver will never not be a
security risk.

Luckily, in my case, it was a server on our intranet, and I wasn't
doing system administration, I was simply running a few tasks that
couldn't be run as the apache user.

Don't use setuid on web scripts! Shame on you for suggesting that
highly insecure and dangerous idea. Fred's penance is to filter spam on
the servers for 1 week.

Use cgiwrap to run the scripts as the logged in user rather than the web
server's ID.

http://cgiwrap.sourceforge.net/

Or better yet, stop re-inventing the wheel and use webmin.
I agree on not doing setuid() for the web server. And cgiwrap will
help, also. But you can also create CLI scripts which do specific
things (one thing per script). That script can then do a setuid() with
a bit of safety.

To do it, you'll need to set the setuid bit for the php executable -
which you don't want to allow for everyone. So I suggest making a copy
of the executable, set the setuid bit on the copy and only use the copy
when you need to do the setuid.

Also, make the pages which call them password protected and only
available via ssl.

It's still not totally secure - but it's as secure as using cgiwrap, and
about as secure as you can get while having things available via the web
server.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 28 '08 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Rafal 'Raf256' Maj | last post by:
Hi, Warning: passthru() has been disabled for security reasons in ... how can I change my php.ini file (php4/apache/winxp server) to enable this function? How can I best work around if I can't...
0
by: Yemi | last post by:
Hi There. I seem to be getting some inconsistent results when using passthru() in safe mode. They appear to be related to the fact that passthru should treat all command arguments as one single...
3
by: Jerry | last post by:
I've found a problem with exec, passthru, shell_exec & system. I'm trying to run the following exec("sort -r -n -k2,2 r1.txt > r2.txt") with r1.txt being a numeric file. The file looks like...
2
by: Martin Kofahl | last post by:
Hello, I'm slightly confused with the passthru() command. The program I call writes html headers itself. However, passthru() makes apache sending some generated headers first. There's no fault...
1
by: Spudster3 | last post by:
I'm trying to get this to work.. <?php echo passthru('wmic cpu get loadpercentage'); ?> and just output to the browser... It looks like cmd.exe hangs when it tries to execute the command. ...
2
by: Robertico | last post by:
Hi, I tried to use the Passthru and System function to resolve some whois information. echo passthru('whois 62.69.168.12') .'<br>'; -or- $whois = system('whois 62.69.168.12', $retval); It...
8
by: baustin75 | last post by:
Posted: Mon Oct 03, 2005 1:41 pm Post subject: cannot mail() in ie only when debugging in php designer 2005 -------------------------------------------------------------------------------- ...
2
by: rickcasey | last post by:
I cannnot seem to get exec() or passthru() to execute a perl script; here's the code snippet: if ($debug) { echo "username1 = ".$username1."<br>"; echo "dbname = ".$dbname."<br>"; echo...
1
by: bobh | last post by:
Hi All, In AccessXP I'm trying to change a query I have to a 'passthru' query and its failing. I think its due the fact that I have an 'IIF' in it. What is the sql equivalant to Access ' IIF '...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.