Re: [PHP] Re: run remote shell script
On Wed, August 17, 2005 9:50 pm, Roger Thomas wrote: OK. I am able to setup remote key authentication between svrA and svrB. From svrA I can login to svrB with something like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] and I can also execute a shell script like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] /tmp/test.sh Excellent! If 'www' can do it in a shell, then PHP, running as 'www' can usually do do it -- though a FEW commands require an honest-to-god tty real-login-shell connection or they refuse to run. I think su is one of them. On svrA I have a PHP script like so: ? system('ssh [EMAIL PROTECTED] /tmp/test.sh someDIR'); //Do this: exec('ssh [EMAIL PROTECTED] /tmp/test.sh someDIR', $output, $error); if ($error) echo OS Error: $error\n; echo implode(\n, $output); This will tell you what error messages, if any, you are getting. Most likely what is happening is that the 'www' user in PHP does not have a true shell set up -- so 'www' has no home dir, so ssh does not find the keys you stuck in ~/.ssh/ so you need to do something like: exec('ssh -i /home/www/.ssh [EMAIL PROTECTED] /tmp/test.sh someDIR', $output, $error); Read man ssh for more details about -i flag, but it basically tells ssh where to find the keys it needs to use to get into svrB (and anywhere else 'www' has access to) I did the same thing with scp (kinda like FTP tunnelling through SSH) and that was the thing that took me awhile to figure out. ? /tmp/test.sh on svrB is only a one liner like so: mkdir /tmp/$1 I ran the script from the browser but the /tmp/someDIR is not created :( Could it be that user nobody on svrA is *not* allowed to connect to svrB because the public key belongs to user www ? How do I rectify this ? Whoa. First of all, you have two different 'www' users running around: [EMAIL PROTECTED] and [EMAIL PROTECTED] From here on, I'll specify users with @svr? so we know what we're talking about. If the user '[EMAIL PROTECTED]' is the one PHP runs as, then, yes, '[EMAIL PROTECTED]' needs to have a copy of the [half-]key that currently is owned by '[EMAIL PROTECTED]' which is what allows '[EMAIL PROTECTED]' to ssh to '[EMAIL PROTECTED]' without supplying a password. Though why you have a '[EMAIL PROTECTED]' user and then have '[EMAIL PROTECTED]' running Apache/PHP is beyond my ken... It's MORE likely that '[EMAIL PROTECTED]' really is running Apache/PHP, and you are getting tripped up by what I outlined above. BUT - yes, if the user running Apache/PHP doesn't have the half of the key-pair that it needs to access srvB, then that user ain't getting into svrB. NOTE: It's usually the PRIVATE key belonging to '[EMAIL PROTECTED]' that you would have sitting in the .ssh directory for '[EMAIL PROTECTED]' and then the PUBLIC half would be sitting in '[EMAIL PROTECTED]' .ssh directory. IE, the presence of the PUBLIC key belonging to somebody else ([EMAIL PROTECTED]) in the file that, in theory, only '[EMAIL PROTECTED]' can write, is how [EMAIL PROTECTED] gave permission for [EMAIL PROTECTED] to get in. [EMAIL PROTECTED] has the PUBLIC key to [EMAIL PROTECTED], but that's okay. It's a PUBLIC key, so anybody can safely hold it. [EMAIL PROTECTED] has the PRIVATE key in his own .ssh directory, which only he can access. What you MAY have done, and which MIGHT work (or not) but seem backwards to me: [EMAIL PROTECTED] made a key-pair, and then handed over the PRIVATE key to [EMAIL PROTECTED] IF you did that, and IF that works, the risk here is that you've got a key that is labeled as PRIVATE that has been handed out to somebody else, which is a no-no. And you've got a key that is labeled as PUBLIC (sitting up on [EMAIL PROTECTED]) that you could easily someday think Oh, it's okay to hand this out, it's PUBLIC but, really, *that* PUBLIC key is what is supposed to be kept secret so that the PRIVATE key handed to [EMAIL PROTECTED] can tie in... In the actual situation, I need to execute a shell script in svrB (from browser served by Apache on svrA) that only root can run. Please advise. I am getting very worried. I'd be real worried about the script that only 'root' can run... Set up a new user on svrB that has permission to create the directories you need, and that's pretty much all that user can do. Using 'root' access is just too much power. Minimize your exposure ; Minimize your risk ; Minimize permissions -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: run remote shell script
Quoting Richard Lynch [EMAIL PROTECTED]: If 'www' can do it in a shell, then PHP, running as 'www' can usually do do it www is a Limux system user on both svrA and svrB. On svrA, Apache runs as user nobody. I mean, this is the httpd user, where we defined it in httpd.conf: User nobody Group nobody My bad, I shud have use roger instead of www. //Do this: exec('ssh [EMAIL PROTECTED] /tmp/test.sh someDIR', $output, $error); if ($error) echo OS Error: $error\n; echo implode(\n, $output); I got this: OS Error: 255 This will tell you what error messages, if any, you are getting. Most likely what is happening is that the 'www' user in PHP does not have a true shell set up -- so 'www' has no home dir, so ssh does not find the keys you stuck in ~/.ssh/ so you need to do something like: exec('ssh -i /home/www/.ssh [EMAIL PROTECTED] /tmp/test.sh someDIR', $output, $error); In my case, user nobody (that Apache runs as in svrA), does not have a true shell setup. How do I create a private/public key for user nobody when I can't even login as user nobody (as it does not have a true shell) ? What's my option ? Though why you have a '[EMAIL PROTECTED]' user and then have '[EMAIL PROTECTED]' running Apache/PHP is beyond my ken... Sorry for the confusion. It's usually the PRIVATE key belonging to '[EMAIL PROTECTED]' that you would have sitting in the .ssh directory for '[EMAIL PROTECTED]' and then the PUBLIC half would be sitting in '[EMAIL PROTECTED]' .ssh directory. Yes, I did that. I logged in as user www in svrA and executed ssh-keygen -t rsa. I then copied id_rsa.pub to svrB and called it /home/www/.ssh/authorized_keys. As noted, user www are system users in svrA and svrB. I'd be real worried about the script that only 'root' can run... Set up a new user on svrB that has permission to create the directories you need, and that's pretty much all that user can do. Using 'root' access is just too much power. I mean, I want to execute a command in svrB where only root can do so. Like 'shutdown' or something else. Appreciate your advise. TIA -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: run remote shell script
On Thu, August 18, 2005 12:22 am, Roger Thomas wrote: Quoting Richard Lynch [EMAIL PROTECTED]: If 'www' can do it in a shell, then PHP, running as 'www' can usually do do it www is a Limux system user on both svrA and svrB. On svrA, Apache runs as user nobody. I mean, this is the httpd user, where we defined it in httpd.conf: User nobody Group nobody My bad, I shud have use roger instead of www. Is 'www' a real user on either server? What is that user allowed to do? Does that user exist for the express purpose of doing things related to the web-server, and nothing else? If so, the easiest solution might be to change httpd.conf to have: User www It gives Apache/PHP a little more power ; which increases risk a bit But if 'www' ONLY has permissions to do the kinds of things you want to allow Apache/PHP to do, then that's okay. If 'www' has lots and lots of permisions to do all sorts of things, then it is a Bad Idea to do httpd.conf: User www This will tell you what error messages, if any, you are getting. Damn! Error 255 is not particularly enlightening, at least to me -- But I think it indicates a problem before PHP even manages to FIND the ssh command, not one actually trying to run it. Somebody who knows OS error codes better than me could maybe clarify this a bit. Most likely what is happening is that the 'www' user in PHP does not have a true shell set up -- so 'www' has no home dir, so ssh does not find the keys you stuck in ~/.ssh/ so you need to do something like: exec('ssh -i /home/www/.ssh [EMAIL PROTECTED] /tmp/test.sh someDIR', $output, $error); In my case, user nobody (that Apache runs as in svrA), does not have a true shell setup. How do I create a private/public key for user nobody when I can't even login as user nobody (as it does not have a true shell) ? You *might* be able to use the -i /home/www/.ssh part, so long as the nobody user can *READ* www's key files... Though that may not be desirable. In detail, you *COULD* create a group called 'www_nobody' and add both 'www' and 'nobody' to it, and then you *COULD* chgrp 'www_nobody' /home/www/.ssh/ (and/or some files within that) and THEN I think the exec() would work with the -i /home/www/.ssh because now nobody is using wwws keyring to get into whatever www can get into. Though, at that point, maybe just changing httpd.conf to User www is looking more attractive. You should first try something more simple like: exec(ls, $output, $error); if ($error) echo OS Error: $error\n; echo implode(\n, $output); just to be certain the nobody user can do *anything* with exec() It *MAY* be a requirement that nobody has some kind of shell access for exec() to work... I don't know for sure about that. But this quick test without the vagaries of ssh and keys and permissions involved will sort of work towards your goal from the other end -- getting PHP to execute *something* in the shell, and knowing that that something is so damn simple that it HAS to work. :-) If the Apacher user *HAS* to have a valid shell to use exec() then you're kinda stuck with User www, or some other user like 'www-run' which I sometimes see... Possibly because for the same reasons that you have a 'www' user already and don't want to use that for httpd.conf User. You may also want to use things like /usr/bin/ls and /usr/local/bin/ssh or whatever they are on your box. Better to use a full path and be sure you are not subject to the whims of the shell and some $PATH environment variable that root might change out from under you some day by messing with /etc/passwd in a security audit. What's my option ? Short version: Make sure PHP can do something useful with exec() like ls Make sure PHP can *read* the keys it needs to get into srvB Use full path to ssh and use -i /home/www/.ssh so PHP knows it's supposed to get the keys from there. Though why you have a '[EMAIL PROTECTED]' user and then have '[EMAIL PROTECTED]' running Apache/PHP is beyond my ken... Sorry for the confusion. 'Sokay. Just wondering WHY you have a user named 'www' if it's NOT to run Apache... It's pretty common to have a user 'www' (or similar) running Apache just so you can keep the web stuff out of the hands of nobody (IE, everybody) and have a username everybody recognizes as the user that runs Apache But then I've seen those boxes where it's 'www-run' or 'apache' or other more interesting usernames running Apache/PHP, so it's not really written in stone. It's usually the PRIVATE key belonging to '[EMAIL PROTECTED]' that you would have sitting in the .ssh directory for '[EMAIL PROTECTED]' and then the PUBLIC half would be sitting in '[EMAIL PROTECTED]' .ssh directory. Yes, I did that. I logged in as user www in svrA and executed ssh-keygen -t rsa. I then copied id_rsa.pub to svrB and called it /home/www/.ssh/authorized_keys. As noted, user www are system users in svrA and svrB. I'd be real worried about the script that only 'root' can run...
Re: [PHP] Re: run remote shell script
Thanks for your great explaination. I really appreciate that. I will try out the things that you have outlined and will be back if I land into trouble :) -- Roger Quoting Richard Lynch [EMAIL PROTECTED]: On Thu, August 18, 2005 12:22 am, Roger Thomas wrote: Quoting Richard Lynch [EMAIL PROTECTED]: If 'www' can do it in a shell, then PHP, running as 'www' can usually do do it www is a Limux system user on both svrA and svrB. On svrA, Apache runs as user nobody. I mean, this is the httpd user, where we defined it in httpd.conf: User nobody Group nobody My bad, I shud have use roger instead of www. Is 'www' a real user on either server? What is that user allowed to do? Does that user exist for the express purpose of doing things related to the web-server, and nothing else? If so, the easiest solution might be to change httpd.conf to have: User www It gives Apache/PHP a little more power ; which increases risk a bit But if 'www' ONLY has permissions to do the kinds of things you want to allow Apache/PHP to do, then that's okay. If 'www' has lots and lots of permisions to do all sorts of things, then it is a Bad Idea to do httpd.conf: User www This will tell you what error messages, if any, you are getting. Damn! Error 255 is not particularly enlightening, at least to me -- But I think it indicates a problem before PHP even manages to FIND the ssh command, not one actually trying to run it. Somebody who knows OS error codes better than me could maybe clarify this a bit. Most likely what is happening is that the 'www' user in PHP does not have a true shell set up -- so 'www' has no home dir, so ssh does not find the keys you stuck in ~/.ssh/ so you need to do something like: exec('ssh -i /home/www/.ssh [EMAIL PROTECTED] /tmp/test.sh someDIR', $output, $error); In my case, user nobody (that Apache runs as in svrA), does not have a true shell setup. How do I create a private/public key for user nobody when I can't even login as user nobody (as it does not have a true shell) ? You *might* be able to use the -i /home/www/.ssh part, so long as the nobody user can *READ* www's key files... Though that may not be desirable. In detail, you *COULD* create a group called 'www_nobody' and add both 'www' and 'nobody' to it, and then you *COULD* chgrp 'www_nobody' /home/www/.ssh/ (and/or some files within that) and THEN I think the exec() would work with the -i /home/www/.ssh because now nobody is using wwws keyring to get into whatever www can get into. Though, at that point, maybe just changing httpd.conf to User www is looking more attractive. You should first try something more simple like: exec(ls, $output, $error); if ($error) echo OS Error: $error\n; echo implode(\n, $output); just to be certain the nobody user can do *anything* with exec() It *MAY* be a requirement that nobody has some kind of shell access for exec() to work... I don't know for sure about that. But this quick test without the vagaries of ssh and keys and permissions involved will sort of work towards your goal from the other end -- getting PHP to execute *something* in the shell, and knowing that that something is so damn simple that it HAS to work. :-) If the Apacher user *HAS* to have a valid shell to use exec() then you're kinda stuck with User www, or some other user like 'www-run' which I sometimes see... Possibly because for the same reasons that you have a 'www' user already and don't want to use that for httpd.conf User. You may also want to use things like /usr/bin/ls and /usr/local/bin/ssh or whatever they are on your box. Better to use a full path and be sure you are not subject to the whims of the shell and some $PATH environment variable that root might change out from under you some day by messing with /etc/passwd in a security audit. What's my option ? Short version: Make sure PHP can do something useful with exec() like ls Make sure PHP can *read* the keys it needs to get into srvB Use full path to ssh and use -i /home/www/.ssh so PHP knows it's supposed to get the keys from there. Though why you have a '[EMAIL PROTECTED]' user and then have '[EMAIL PROTECTED]' running Apache/PHP is beyond my ken... Sorry for the confusion. 'Sokay. Just wondering WHY you have a user named 'www' if it's NOT to run Apache... It's pretty common to have a user 'www' (or similar) running Apache just so you can keep the web stuff out of the hands of nobody (IE, everybody) and have a username everybody recognizes as the user that runs Apache But then I've seen those boxes where it's 'www-run' or 'apache' or other more interesting usernames running Apache/PHP, so it's not really written in stone. It's usually the PRIVATE key belonging to '[EMAIL PROTECTED]' that you would have sitting in the .ssh directory for '[EMAIL PROTECTED]' and then the PUBLIC
Re: [PHP] Re: run remote shell script
First off, Roger, Thomas, not sure which is your given name -- please use a mail or news agent that will wrap your lines with linebreaks at 72 characters. Some of us are on text-based clients, and it's difficult to read your posts when they extend beyond the screen boundaries... ;-) * Roger Thomas [EMAIL PROTECTED] : OK. I am able to setup remote key authentication between svrA and svrB. From svrA I can login to svrB with something like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] and I can also execute a shell script like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] /tmp/test.sh On svrA I have a PHP script like so: ? system('ssh [EMAIL PROTECTED] /tmp/test.sh someDIR'); ? /tmp/test.sh on svrB is only a one liner like so: mkdir /tmp/$1 I ran the script from the browser but the /tmp/someDIR is not created :( Could it be that user nobody on svrA is *not* allowed to connect to svrB because the public key belongs to user www ? How do I rectify this ? In the actual situation, I need to execute a shell script in svrB (from browser served by Apache on svrA) that only root can run. Please advise. I am getting very worried. Okay, I should have been a little more explicit. There are two ways I've done this. The initial details are different, but the final call is pretty much the same. 1. Using sudo 'sudo' allows users to run commands as different users. In this case, we want the user running the web server (usually www, apache, or nobody) to run ssh, or a script that executes the ssh command, as a normal user. I usually opt for the latter, and create a script such as: #!/bin/bash exec ssh [EMAIL PROTECTED] /path/to/remote/script and save it in /usr/local/bin. Then, edit sudoers (usually executing 'visudo' as root), and add a line like nobody ALL = (username) NOPASSWD: /usr/local/bin/SCRIPTNAME What this does is to allow the user 'nobody' (or whomever runs the web server process) to execute /usr/local/bin/SCRIPTNAME as 'username', and they do not need to enter a password to do so (normally with sudo you do). You'll need to restart the webserver after granting the sudo privileges. In this scenario, the normal user, specified by 'username' above, needs to have the the SSH keys setup between the servers. 2. Give the web user a home directory The other option is to setup a home directory for the web user. This will mean editing the /etc/passwd file to give the web user both a home directory and a shell; these are teh last two items in the colon delimited list. A sample entry might look like: nobody:x:65534:65534:nobody:/var/www:/bin/bash Once you've done this, restart the web server. At this point, you'll then need to become the web user briefly in order to: * generate an SSH key * send the key to the remote server Then, on the remote server, add the SSH key to the appropriate user on that system. Good luck! Quoting Matthew Weier O'Phinney [EMAIL PROTECTED] : * Roger Thomas [EMAIL PROTECTED] : My PHP script is in svrA. How do I run a shell script in svrB? svrB does not have PHP and Apache :( Is this at all possible? Please advise. Use ssh. You will have to setup remote key authentication from svrA to svrB (so that a password will not be needed), and then in your script you would call: system('ssh svrB /path/to/scriptToRun'); -- Matthew Weier O'Phinney Zend Certified Engineer http://weierophinney.net/matthew/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: run remote shell script
Thanks Matthew. You and Richard have been very helpful. I should be able to carry on. Thank you again. -- Roger Quoting Matthew Weier O'Phinney [EMAIL PROTECTED]: First off, Roger, Thomas, not sure which is your given name -- please use a mail or news agent that will wrap your lines with linebreaks at 72 characters. Some of us are on text-based clients, and it's difficult to read your posts when they extend beyond the screen boundaries... ;-) * Roger Thomas [EMAIL PROTECTED] : OK. I am able to setup remote key authentication between svrA and svrB. From svrA I can login to svrB with something like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] and I can also execute a shell script like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] /tmp/test.sh On svrA I have a PHP script like so: ? system('ssh [EMAIL PROTECTED] /tmp/test.sh someDIR'); ? /tmp/test.sh on svrB is only a one liner like so: mkdir /tmp/$1 I ran the script from the browser but the /tmp/someDIR is not created :( Could it be that user nobody on svrA is *not* allowed to connect to svrB because the public key belongs to user www ? How do I rectify this ? In the actual situation, I need to execute a shell script in svrB (from browser served by Apache on svrA) that only root can run. Please advise. I am getting very worried. Okay, I should have been a little more explicit. There are two ways I've done this. The initial details are different, but the final call is pretty much the same. 1. Using sudo 'sudo' allows users to run commands as different users. In this case, we want the user running the web server (usually www, apache, or nobody) to run ssh, or a script that executes the ssh command, as a normal user. I usually opt for the latter, and create a script such as: #!/bin/bash exec ssh [EMAIL PROTECTED] /path/to/remote/script and save it in /usr/local/bin. Then, edit sudoers (usually executing 'visudo' as root), and add a line like nobody ALL = (username) NOPASSWD: /usr/local/bin/SCRIPTNAME What this does is to allow the user 'nobody' (or whomever runs the web server process) to execute /usr/local/bin/SCRIPTNAME as 'username', and they do not need to enter a password to do so (normally with sudo you do). You'll need to restart the webserver after granting the sudo privileges. In this scenario, the normal user, specified by 'username' above, needs to have the the SSH keys setup between the servers. 2. Give the web user a home directory The other option is to setup a home directory for the web user. This will mean editing the /etc/passwd file to give the web user both a home directory and a shell; these are teh last two items in the colon delimited list. A sample entry might look like: nobody:x:65534:65534:nobody:/var/www:/bin/bash Once you've done this, restart the web server. At this point, you'll then need to become the web user briefly in order to: * generate an SSH key * send the key to the remote server Then, on the remote server, add the SSH key to the appropriate user on that system. Good luck! Quoting Matthew Weier O'Phinney [EMAIL PROTECTED] : * Roger Thomas [EMAIL PROTECTED] : My PHP script is in svrA. How do I run a shell script in svrB? svrB does not have PHP and Apache :( Is this at all possible? Please advise. Use ssh. You will have to setup remote key authentication from svrA to svrB (so that a password will not be needed), and then in your script you would call: system('ssh svrB /path/to/scriptToRun'); -- Matthew Weier O'Phinney Zend Certified Engineer http://weierophinney.net/matthew/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Sign Up for free Email at http://ureg.home.net.my/ --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: run remote shell script
* Roger Thomas [EMAIL PROTECTED]: My PHP script is in svrA. How do I run a shell script in svrB? svrB does not have PHP and Apache :( Is this at all possible? Please advise. Use ssh. You will have to setup remote key authentication from svrA to svrB (so that a password will not be needed), and then in your script you would call: system('ssh svrB /path/to/scriptToRun'); -- Matthew Weier O'Phinney Zend Certified Engineer http://weierophinney.net/matthew/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: run remote shell script
OK. I am able to setup remote key authentication between svrA and svrB. From svrA I can login to svrB with something like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] and I can also execute a shell script like [EMAIL PROTECTED] www]$ ssh [EMAIL PROTECTED] /tmp/test.sh On svrA I have a PHP script like so: ? system('ssh [EMAIL PROTECTED] /tmp/test.sh someDIR'); ? /tmp/test.sh on svrB is only a one liner like so: mkdir /tmp/$1 I ran the script from the browser but the /tmp/someDIR is not created :( Could it be that user nobody on svrA is *not* allowed to connect to svrB because the public key belongs to user www ? How do I rectify this ? In the actual situation, I need to execute a shell script in svrB (from browser served by Apache on svrA) that only root can run. Please advise. I am getting very worried. -- Roger Quoting Matthew Weier O'Phinney [EMAIL PROTECTED]: * Roger Thomas [EMAIL PROTECTED]: My PHP script is in svrA. How do I run a shell script in svrB? svrB does not have PHP and Apache :( Is this at all possible? Please advise. Use ssh. You will have to setup remote key authentication from svrA to svrB (so that a password will not be needed), and then in your script you would call: system('ssh svrB /path/to/scriptToRun'); -- Matthew Weier O'Phinney Zend Certified Engineer http://weierophinney.net/matthew/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Sign Up for free Email at http://ureg.home.net.my/ --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php