PHP5 / exec() / sudoers

**Justec** · 08-20-2007, 02:20 AM

On my old server I was able to use the sudoers file to run a script from PHP (apache) as a non-privileged user with a limited command list.

I set this up on my new server and tested on SSH by giving apache a /bin/bash and su'n to apache. While on shell as user apache I was able to do...

Code:

/usr/bin/sudo -u theuser /usr/bin/kill 12345

This would kill process 12345, but when trying to do it using PHP exec() it doesn't work.

Code:

exec("/usr/bin/sudo -u theuser /usr/bin/kill $process", $out, $ret);

I setup the visudo the same as it was on the prior server.
Went from CentOS4 > CentOS5 which also means PHP4 to PHP5

I've tried a bunch of things and just can't figure it out. I am thinking it must be PHP b/c I am able to use it from the command line.

I also tried running PHP from command line and the above exec() that doesn't work from the browser did work as shell user apache using command line php.

Any ideas?

**Kevin** · 08-20-2007, 02:46 AM

Does the exec command assign any value to $out or $ret? You might want to flip on display_errors and boost the error reporting to include notices, to see if you can get PHP to spit out an explanation.

**Justec** · 08-20-2007, 04:26 PM

PHP wasn't having any errors it was a sudo error and I used a trick I found from the below URL 2>&1 to force that error out to stdout

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Well I finally found the issue thanks to this guy on the fedora forums
http://forums.fedoraforum.org/showthread.php?t=159677

Originally Posted by LuAn@forums.fedoraforum.org

I just nailed this. The breakthough came when I tried:

$output = exec('/usr/bin/sudo /usr/bin/whoami 2>&1');

The result should be 'root' but what I got, courtesy of the bit on the end, was this: 'sudo: sorry, you must have a tty to run sudo'

A search on that told me that the issue related to a setting in /etc/sudoers which is used in Fedora Core 6 namely:

Defaults requiretty

Apparenly FC6 is the only OS that has that setting (which explains why I was struggling to find any information about what was causing the problem).

So I just commented out the "Default requiretty" and it started working. I love spending hours trying to fix something and all it took was one #