Re: [PHP] Re: exec returns no output?
* and then Stut declared > Nick Wilson wrote: > >That makes a lot of sense. I wasnt aware sudoers could be used for > >individual tasks. im not having much luck with it, I suspect it's cos > >what apache really needs permission to do is to 'sudo -u nick' right? > > Is it important that the transfer happens immediately? If not then a > better solution is to drop the images in a folder that is then > transferred by a script cron'd by the user that has everything required > to do the scp. > > To be frank, anything is better than giving the user that Apache runs as > any more permissions than you have to. yes, im afraid it does need to be immediate. I've fixed it now though with the sudoers help above in the thread. thanks -- Nick Wilson http://performancing.com/user/1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: exec returns no output?
* and then Colin Guthrie declared
> /usr/bin/transfer_image.sh:
> #!/bin/bash
>
> if [ -z "$1" ]; then
> echo "No input file."
> exit 1
> fi
> scp "$1" [EMAIL PROTECTED]:/var/www/images/
>
>
> And then in apache:
> exec("sudo -u nick /usr/bin/transfer_image.sh $file");
>
> (obviously escape $file with the escape_shell_cmd() func.)
>
> /etc/sudoers should contain something like:
> apache ALL = (/usr/bin/transfer_image.sh) NOPASSWD: ALL
Success!
After lots of messing around with visudo, i got this line working right:
apache ALL=(user2runAs) NOPASSWD: /usr/bin/scp-image.sh
Thanks for the help Col, seems it all turned out good -- shame to spend
the whole damn day on something so small though heh..
--
Nick Wilson
http://performancing.com/user/1
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: exec returns no output?
Nick Wilson wrote: That makes a lot of sense. I wasnt aware sudoers could be used for individual tasks. im not having much luck with it, I suspect it's cos what apache really needs permission to do is to 'sudo -u nick' right? Is it important that the transfer happens immediately? If not then a better solution is to drop the images in a folder that is then transferred by a script cron'd by the user that has everything required to do the scp. To be frank, anything is better than giving the user that Apache runs as any more permissions than you have to. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: exec returns no output?
* and then Colin Guthrie declared
> Nick Wilson wrote:
> > I think you're on the right track Col. I did a whole bunch more
> > searching and the one thing I kept hearing was that no matter what you
> > try, you just cant get the webserver to exec the script as another user
> > -- so even if im saying '[EMAIL PROTECTED]' in both parts of the scp
> > command,
> > it's still being exec'd as apache, and apache has no home, and no .ssh
> > dir.
>
> The program on the webserver will always be executed as the user that
> runs the webserver. The nick@ bit is purely the syntax used by the
> program in question, in this case scp.
>
> I'm sure it will be possible to get the apache user to run SCP, even if
> the user does not have a home directory specified.
>
> > i've tried putting the perms on that dsa file directly as the apache
> > user and even putting it eleshwere in teh filesystem but nothing seems
> > to work
> >
> > As i dont have the ssh2 ext on this setup, and have no desire to go
> > messin with new extensions it looks like im going to have to go gthe nfs
> > route on this problem unless anyone has done this before and knows an
> > answer?
>
> Assuming you have root on the box in question, you could write a shell
> script that does what you need then run it from apache via the sudo
> command. Provided you configure /etc/sudoers to allow the apache user to
> run your script without a password, it should work. As it's only allowed
> to run that one script, it is also fairly secure.
>
> E.g.
> /usr/bin/transfer_image.sh:
> #!/bin/bash
>
> if [ -z "$1" ]; then
> echo "No input file."
> exit 1
> fi
> scp "$1" [EMAIL PROTECTED]:/var/www/images/
>
>
> And then in apache:
> exec("sudo -u nick /usr/bin/transfer_image.sh $file");
>
> (obviously escape $file with the escape_shell_cmd() func.)
>
> /etc/sudoers should contain something like:
> apache ALL = (/usr/bin/transfer_image.sh) NOPASSWD: ALL
That makes a lot of sense. I wasnt aware sudoers could be used for
individual tasks. im not having much luck with it, I suspect it's cos
what apache really needs permission to do is to 'sudo -u nick' right?
--
Nick Wilson
http://performancing.com/user/1
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: exec returns no output?
Nick Wilson wrote:
> I think you're on the right track Col. I did a whole bunch more
> searching and the one thing I kept hearing was that no matter what you
> try, you just cant get the webserver to exec the script as another user
> -- so even if im saying '[EMAIL PROTECTED]' in both parts of the scp command,
> it's still being exec'd as apache, and apache has no home, and no .ssh
> dir.
The program on the webserver will always be executed as the user that
runs the webserver. The nick@ bit is purely the syntax used by the
program in question, in this case scp.
I'm sure it will be possible to get the apache user to run SCP, even if
the user does not have a home directory specified.
> i've tried putting the perms on that dsa file directly as the apache
> user and even putting it eleshwere in teh filesystem but nothing seems
> to work
>
> As i dont have the ssh2 ext on this setup, and have no desire to go
> messin with new extensions it looks like im going to have to go gthe nfs
> route on this problem unless anyone has done this before and knows an
> answer?
Assuming you have root on the box in question, you could write a shell
script that does what you need then run it from apache via the sudo
command. Provided you configure /etc/sudoers to allow the apache user to
run your script without a password, it should work. As it's only allowed
to run that one script, it is also fairly secure.
E.g.
/usr/bin/transfer_image.sh:
#!/bin/bash
if [ -z "$1" ]; then
echo "No input file."
exit 1
fi
scp "$1" [EMAIL PROTECTED]:/var/www/images/
And then in apache:
exec("sudo -u nick /usr/bin/transfer_image.sh $file");
(obviously escape $file with the escape_shell_cmd() func.)
/etc/sudoers should contain something like:
apache ALL = (/usr/bin/transfer_image.sh) NOPASSWD: ALL
Col.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: exec returns no output?
* and then Colin Guthrie declared
> Nick Wilson wrote:
> > Right, im with you. The keyfile is mine though, and i know i can ssh
> > from this box to that without any problem.
> >
> > I've made a test script for htis and it's returning some very weird
> > stuff now. The actual file it outputs (stdout and stderr) is the actual
> > image im trying to send!
> >
> > > $file = '/stat/data/drupal/image.png';
> > exec("/usr/bin/scp -v -i /home/troot/.ssh/id_dsa $file [EMAIL
> > PROTECTED]:/var/www/images/ 1>&2
> > /var/www/html/test/out", $ack);
> > print_r($ack);
> > ?>
>
> Could it be a permissions problem? your ~/.ssh folder should has to be
> nailed now permissions wise otherwise SSH will complain. Also the id_dsa
> file is usually only readable by the user and nothing else (e.g. mode 0600)
>
> I'd suggest you check permissions. Also I'd add a new key for this
> rather than user your own. If the apache process can read your private
> key this is quite a security risk
I think you're on the right track Col. I did a whole bunch more
searching and the one thing I kept hearing was that no matter what you
try, you just cant get the webserver to exec the script as another user
-- so even if im saying '[EMAIL PROTECTED]' in both parts of the scp command,
it's still being exec'd as apache, and apache has no home, and no .ssh
dir.
i've tried putting the perms on that dsa file directly as the apache
user and even putting it eleshwere in teh filesystem but nothing seems
to work
As i dont have the ssh2 ext on this setup, and have no desire to go
messin with new extensions it looks like im going to have to go gthe nfs
route on this problem unless anyone has done this before and knows an
answer?
thanks for the help!
--
Nick Wilson
http://performancing.com/user/1
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: exec returns no output?
Nick Wilson wrote:
> Right, im with you. The keyfile is mine though, and i know i can ssh
> from this box to that without any problem.
>
> I've made a test script for htis and it's returning some very weird
> stuff now. The actual file it outputs (stdout and stderr) is the actual
> image im trying to send!
>
> $file = '/stat/data/drupal/image.png';
> exec("/usr/bin/scp -v -i /home/troot/.ssh/id_dsa $file [EMAIL
> PROTECTED]:/var/www/images/ 1>&2
> /var/www/html/test/out", $ack);
> print_r($ack);
> ?>
Could it be a permissions problem? your ~/.ssh folder should has to be
nailed now permissions wise otherwise SSH will complain. Also the id_dsa
file is usually only readable by the user and nothing else (e.g. mode 0600)
I'd suggest you check permissions. Also I'd add a new key for this
rather than user your own. If the apache process can read your private
key this is quite a security risk
Col.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: exec returns no output?
* and then Colin Guthrie declared > Nick Wilson wrote: > >> Do you use generated keys without a password for logging in? Otherwise > >> exec() > >> is just going to sit there while the scp command waits for a password. > > > > Tha'ts exactly what i think it's doing. The -i specifies an identity > > file according to the man page for scp so i would have hoped that would > > take care of it (as i cant work out how to generate an identity for the > > apache user itself) but i guess it is doing exactly as you say.. > > Nick I think you are misunderstanding what Ray is asking. > > scp (without the -i arg) will ask you for your SSH password. > > BUT, the keyfile itself can be generated to have a password also! Right, im with you. The keyfile is mine though, and i know i can ssh from this box to that without any problem. I've made a test script for htis and it's returning some very weird stuff now. The actual file it outputs (stdout and stderr) is the actual image im trying to send! &2 /var/www/html/test/out", $ack); print_r($ack); ?> -- Nick Wilson http://performancing.com/user/1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: exec returns no output?
Nick Wilson wrote: >> Do you use generated keys without a password for logging in? Otherwise >> exec() >> is just going to sit there while the scp command waits for a password. > > Tha'ts exactly what i think it's doing. The -i specifies an identity > file according to the man page for scp so i would have hoped that would > take care of it (as i cant work out how to generate an identity for the > apache user itself) but i guess it is doing exactly as you say.. Nick I think you are misunderstanding what Ray is asking. scp (without the -i arg) will ask you for your SSH password. BUT, the keyfile itself can be generated to have a password also! On the SSH server as the user you want to scp from apache as, run "ssh-keygen -t dsa" and it will generate a key file in the current users ~/.ssh/ folder named id_dsa and id_dsa.pub As part of this generation, it will ask you for a password for the KEY, this is NOT the SSH password. If you want to run SCP without any passwords, you need to just hit return at the password prompt so that it will generate the keys without a password. You will want to put the id_dsa.pub file on the web server and make it readable by Apache. Test it yourself as a normal user on the webserver and double check that it doesn't require a password. Hope that helps Col. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
