2

There are many questions on this topic, but my situation is quite strange.

I am trying to print out exec("sudo -u root whoami") in php. But it returns nothing.

I added %www-data ALL=(ALL:ALL) ALL via sudo visudo but no luck on what is happenning, no error, just not printing out anything.

Any suggestion?

Thanks in advance

Improve this question
5
  • 4
    I'm going to put it out there that this is a terrible idea. Your webserver / PHP should not have root access to your entire system. Commented Oct 13, 2016 at 22:55
  • Apart from the horrible security gap you are about to create: your sudoers entry does not mean that no password is required to actually execute the command under the changed user id. A password you cannot provide in an interactive manner. You want to read about the NOPASSWD option the sudoers file offers, you want to read about that in the documentation. But once more: this is a bad idea for security reasons. Commented Oct 13, 2016 at 23:01
  • 1
    Also, just tested using the PHP CLI under an existing super user and echo exec("sudo -u root whoami") works fine give or take requiring password. Commented Oct 13, 2016 at 23:01
  • 2
    Change it to exec("sudo -u root whoami 2>&1") so that you'll see error messages. Commented Oct 13, 2016 at 23:28
  • thanks for the suggestion Commented Oct 14, 2016 at 3:38

1 Answer 1

Reset to default
1

How is your webserver going to enter the password for sudo?

Your configuration allows the webserver-user to run all commands on the server. But that requires the user to enter their password. And the webserver

  1. can't do that interactively
  2. doesn't even have a apassword

So if you want to do what you try to do (giving the process running PHP root-access to the machine is a very bad idea) you should add this to your sudo-config:

%www-data     ALL = NOPASSWD: /usr/bin/whoami

That allows the group www-data to run whoami as root without an interctive password-prompt

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I added %www-data ALL=(ALL:ALL) ALL and I thought that includes what you mentioned? I know it's a bad idea to do this but it did not work
Actually what you suggests works perfectly fine. But is there a safer way to do it or am i going against all the security rules?
And although it does not require password, it does not actually create anything. I tried with a simple mkdir command and no folder created. Thanks in advance
It only allows you to run whoami. if you want to run mkdir you will need to add that behind the whoami. Have a look at the sudo documentation
Suggested answer from be below that keeps sudo and web priv seperate

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.