Home > Backend Development > PHP Tutorial > How to let PHP execute system commands with ROOT permissions_PHP Tutorial

How to let PHP execute system commands with ROOT permissions_PHP Tutorial

WBOY
Release: 2016-07-21 15:31:39
Original
1142 people have browsed it

It is used as a reference to solve the problem of php executing some commands or applications that ordinary users cannot execute with root permissions.
In fact, the popen() function in PHP can solve this problem, but due to system security considerations in some versions of Linux (such as Centos 5 I use),
it makes solving this problem a lot more troublesome. . Let’s first look at an example of a netizen using the popen() function.

Copy code The code is as follows:

/* How to add a system user in PHP
The following is a routine, Add a user named James,
The root password is Louis. For reference only
*/
$sucommand = "su root --command";
$useradd = "/scripts/demo/runscripts.php";
$rootpasswd = "louis";
$user = "james";
$user_add = sprintf("%s %s",$sucommand,$useradd);
$fp = @popen($user_add,"w");
@fputs($fp,$rootpasswd);
@pclose($fp);

After my own testing, it is confirmed that this code cannot be implemented (at least in my system) Such) results that the author wants to obtain. After a long time of google,
The key to the problem is that the password required for the su root command must be entered in the terminal and cannot be obtained through other methods (I don’t know if there are other methods).
Since the project requires that applications like sudo cannot be used, in desperation, I chose the method proposed by netizens to write a C program to solve this problem.
First write a C program, name it: run.c and put it in the directory /scripts/demo/
Copy the code The code is as follows:

#include
#include
#include
#include
int main()
{
uid_t uid ,euid;
//char cmd[1024]; //The variable is temporarily unused
uid = getuid();
euid = geteuid ();
printf("my uid :%un",getuid()); //The current uid shown here can be commented out.
printf("my euid :%un",geteuid() ); //What is displayed here is the current euid
if(setreuid(euid, uid)) //Exchange these two ids
perror("setreuid");
printf("after setreuid uid: %un",getuid());
printf("afer sertreuid euid :%un",geteuid());
system("/scripts/demo/runscripts.php"); //Execute script
return 0;
}

Compile this file:
gcc -o run -Wall run.c
Generate the run file, this executable file, in this path. If you use PHP script to call this run now, even if setreuid is set, it will not work.
The next thing to do is: give suid permissions to run
# chmod u+s run
# ls
# -rwsr-xr-x 1 root root 5382 Jul 2 21:45 run
Okay, it has been set up, let’s write a php page to call it.
Copy code The code is as follows:

echo '
'; <br> $last_line = system('/scripts/demo/run', $retval); <br>echo ' <br>


Last line of the output: ' . $last_line . '

Return value: ' . $retval;
?>

View in browser.
my uid :48
my euid :0
after setreuid uid :0
afer sertreuid euid :48

------------- -------------------------------------------------- ----------------
Last line of the output: afer sertreuid euid :48
----------------- -------------------------------------------------- -------------
Return value: 0
The command was executed successfully.
As can be seen from the displayed results: the uid of apache (daemon) is 48 (in fact, the uid of daemon in many Linux systems is 2).
After calling setreuid, the effective user ID and the actual user ID are exchanged. (Must be when chmod u+s is in effect) Make the current uid of apache 0 so that you can execute the root command.
You only need to change the command to be executed by system in the C file to implement your own PHP to execute commands as the root role.

Playing C I have played PHP for a while before. When did I need to use PHP to run the root command, I was unsuccessful until one day I searched for the super plug-in.
As I play C more and more .I found that C language can be used to wrap the external command to be run. I experimented and it was successful.
You can use PHP to execute the root command without any external tools.
I will publish the method to everyone below, Friends who need to use php to run root commands don’t have to worry.
Platform: Linux. Experimental command iptables The current directory is /var/www/html/http
Use the root user when writing programs
Everyone knows that iptables cannot be run by non-root users.
First write a C program
and name it: ipt.c
Copy the code The code is as follows:

#include
#include
#include
#include
int main()
{
uid_t uid ,euid;
uid = getuid() ;
euid = geteuid();
printf("my uid :%un",getuid ()); //What is shown here is the current uid and can be commented out.
printf("my euid :%un",geteuid()); //What is shown here is the current euid
if(setreuid (euid, uid)) //Exchange these two ids
perror("setreuid");
printf("after setreuid uid :%un",getuid());
printf("afer sertruid euid :%un",geteuid());
system("/sbin/iptables -L"); //Execute iptables -L command
return 0;
}


Compile the file gcc -o ipt -Wall ipt.c
Generate the ipt executable file in this path.
If you use the PHP web page to call the ipt now, even if setreuid is used, it will not work .
The next thing to do is chmod u+s ./ipt
ls and
-rwsr-xr-x 1 root root 5382 Jul 2 21:45 ipt
s bit has been set .
Write another php page to call it.
Copy the code The code is as follows:

echo '
'; <br>$last_line = system('/var/www/html/http/ipt', $retval); <br>echo ' <br>


Last line of the output: ' . $last_line . '

Return value: ' . $retval;
?>

Browse in your browser.

[color=Red]Chain INPUT (policy ACCEPT)
target prot opt ​​source destination
Chain FORWARD (policy DROP)
target prot opt ​​source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination [/color]
[color=Blue]my uid :48
my euid : 0
after setreuid uid :0
afer sertreuid euid :48[/color]

----------------------- -------------------------------------------------- -------
Last line of the output: afer sertreuid euid :48
-------------------------- -------------------------------------------------- ----
Return value: 0

The command was executed successfully..
As we all know: the uid of apache is 48. After calling setreuid, the effective user id and the actual user id are exchanged. ( This must be done when chmod u+s is in effect) so that the current uid of apache is 0 so that the root command can be executed.

You only need to change the command to be executed by the system in the C file to implement your own PHP execution root command.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/322943.htmlTechArticle is used as a reference to solve the problem of php executing some commands or applications that cannot be executed by ordinary users with root permissions. In fact, the popen() function in php can solve this problem, but due to some versions...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template