Re: [PHP-DEV] running php script from cron with permissions
power cycle maybe :) -- veins a bofh said: I too can bore you with useless encrypted keys... ? ssa ruoy pu ti evohs dna yek pgp ruoy ekat uoy t'nod yhw - Original Message - From: [EMAIL PROTECTED] To: Hamlet [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, July 21, 2002 11:16 PM Subject: Re: [PHP-DEV] running php script from cron with permissions On Sun, 21 Jul 2002, Hamlet wrote: True. Somehow slipped my mind, now it works perfectly. PHP is awesome for system scripting. Just wondering... why would you want to reboot your machine from a cron job? :) Derick David Eriksson [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Sun, 21 Jul 2002, Hamlet wrote: Hi there, I've got a problem that's just a tidbit annoying. I've got a neat little php script to keep my home network running. At one point in this script it's required to reboot the machine the script is running on, and this I'm trying to do with exec(reboot). Now, I run the cron job as root, and if I try php ? exec(reboot); ? from console it works fine. But not when cron tries to. I've got my suspicions as to cron doing something kinky with the permissions, and therefore permissions are not enought for php to execute the reboot command. I've been at this all day, suggestions are more than welcome. It's not certain that the reboot command is in your PATH environment variable when cron is running. Try adding a line similar to the one below in the beginning of your cron script, or specify the full path when you use exec() in PHP. PATH=/bin:/usr/bin:/usr/sbin Regards, -\- David Eriksson -/- I personally refuse to use inferior tools because of ideology. - Linus Torvalds -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- - Did I help you? http://www.derickrethans.nl/link.php?url=giftlist Frequent ranting: http://www.derickrethans.nl/ -- - PHP: Scripting the Web - [EMAIL PROTECTED] All your branches are belong to me! SRM: Script Running Machine - www.vl-srm.net -- - -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] feature request
hi, I have a feature request for the exec() family. I was thinking of adding a fourth optionnal argument to be passed as the argv[0] so that the name that appears in a 'ps' can be changed. The reason is simple, as many people do, I usually have php call a shell script or a perl script on the system for some tasks, this is done after an authentication and having the command line passed to the shell is even worse than having no authentication at all. Is there a particular reason why it was not implemented ? -- veins a bofh said: I too can bore you with useless encrypted keys... ? ssa ruoy pu ti evohs dna yek pgp ruoy ekat uoy t'nod yhw -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Bug #13843 Updated: Command line arguments escaped magically and out of control
ID: 13843 Comment by: [EMAIL PROTECTED] Old Reported By: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Program Execution Operating System: Unix PHP Version: 4.0.6 New Comment: I understand that pipes and redirections could break the point of using safe_mode but, what I can't understand, is how a space in an argument can make the system vulnerable... Previous Comments: [2001-10-29 16:27:41] [EMAIL PROTECTED] Rats! I meant to say to standard out in the last sentence. [2001-10-29 16:23:58] [EMAIL PROTECTED] Rasmus, what you are saying about shell redirection being a threat under safe mode makes sesnse. But how about being able to pass parameters with spaces in them? I cannot see any security implication in that... In any case, I want to be able to read standard error from the command I'm executing... How about providing a PHP variant of C's execv() in PHP, so that I could pass it an array of parameters? And, perhaps, add a flag to existing program execution functions to duplicate standard error to standard in. [2001-10-29 16:14:34] [EMAIL PROTECTED] I forgot to add that it appears that this bug is not Solaris-specific, but, rather, safe mode specific. [2001-10-29 16:14:31] [EMAIL PROTECTED] Well, not being able to use shell redirection and command line args in safe-mode makes a lot of sense. You could trivially circumvent the safe-mode restrictions if you were allowed to do this. Basically safe-mode only allows system calls to very limited things. Basically prepared scripts placed in the safe-mode-exec-dir. I don't see how we could allow arguments and redirects and still maintain the point behind safe-mode. [2001-10-29 16:09:44] [EMAIL PROTECTED] I've looked into this further, and here's the scoop. Under safe mode, php uses php_escape_shell_cmd() function to escape any command passed to program execution functions. As a result, if I pass a command like this: /www/bin/foo bar c 21 it will turn it into /www/bin/foo \bar c\ 2\\1 I, as a PHP developer, have no control over this under safe mode. Among other things, this means that I cannot pass my program an argument, containing spaces, nor can I use shell redirection machinery. I propose a patch like below to inhibit this automatic escaping. diff -rc php-4.0.6-orig/ext/standard/exec.c php-4.0.6/ext/standard/exec.c *** php-4.0.6-orig/ext/standard/exec.c Mon Apr 30 08:43:39 2001 --- php-4.0.6/ext/standard/exec.c Mon Oct 29 15:31:06 2001 *** *** 92,100 *c = ' '; strncat(d, c, overflow_limit); } - tmp = php_escape_shell_cmd(d); - efree(d); - d = tmp; #if PHP_SIGCHILD sig_handler = signal (SIGCHLD, SIG_DFL); #endif --- 92,97 The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/?id=13843 Edit this bug report at http://bugs.php.net/?id=13843edit=1 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #14448: exec()-like calls are done with webserver uid
From: [EMAIL PROTECTED] Operating system: Unix PHP version: 4.1.0 PHP Bug Type: Unknown/Other Function Bug description: exec()-like calls are done with webserver uid When safe_mode is enabled, exec()-like calls are still done with the webserver uid, letting users execute any server scripts owned by 'www' (for example). In the case that php_safe_dir = /usr/local/phpexec: # chmod 700 /usr/local/phpexec # chown www.www /usr/local/phpexec inside i put the following sh script: #!/bin/sh # echo `id` Now i log in as user 'veins', make a php script with the following: ? exec(/usr/local/phpexec/id.sh, $value, $return); echo $value[0]; ? when i go to ~veins/id.php i get the following: uid=67(www) gid=67(www) groups=67(www) -- Edit bug report at: http://bugs.php.net/?id=14448edit=1 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #11863 Updated: Cannot connect to mysql server
ID: 11863 User Update by: [EMAIL PROTECTED] Old-Status: Feedback Status: Open Bug Type: MySQL related Operating system: Unix PHP Version: 4.0.6 Description: Cannot connect to mysql server of course ;) http://www.kheos.net/info.php I'm making it right now so by the time you see this post it'll be available. Best regards, Veins Previous Comments: --- [2001-07-04 13:35:14] [EMAIL PROTECTED] Hello, can you make a page with ?php phpinfo(); ? available to us? Derick --- [2001-07-03 16:44:53] [EMAIL PROTECTED] Yeah, the server is actually running as i can connect to it from console. The socket is set srwxrwxrwx so it is also ok i presume. The exact same configuration used to work with php-4.0.5 :/ --- [2001-07-03 16:41:17] [EMAIL PROTECTED] Yeah, the server is actually running as i can connect to it from console. The socket is set srwxrwxrwx so it is also ok i presume. The exact same configuration used to work with php-4.0.5 :/ --- [2001-07-03 16:32:07] [EMAIL PROTECTED] It works fine here. Are you sure MySQl is actually running, and are the permissions on the socket correct? Derick --- [2001-07-03 16:28:24] [EMAIL PROTECTED] I am using php-4.0.6 with MySQL-3.23.39 and there seems to be a problem with connecting to the database server. Problem that didn't happen with any previous version (even php-4.0.5 that i was using till today). phpinfo() shows a correct configuration and correct path to the socket, mysql server works correctly from console and i'm not using the bundled libraries (tried them also and it gave the same error). This was reproductible under OpenBSD-2.7-stable, OpenBSD-2.8, OpenBSD-2.8-stable, OpenBSD-2.9, OpenBSD-2.9-stable, Linux Debian (current), Linux RedHat 7.0, Linux Slackware 7.1 and probably others. Configuration flags of PHP are: --with-apache=/usr/local/apache --with-mysql=/usr/local/mysqlc --with-openssl=/usr/local/ssl --with-gd=/usr/local/gd --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-zlib-dir=/usr/local --with-ttf=/usr/local --enable-apc --enable-calendar --enable-bcmath --enable-track-vars MySQL related configuration directives in php.ini are: mysql.allow_persistent = Off mysql.max_persistent = 0 mysql.max_links = 1000 mysql.default_port = 3306 mysql.default_socket = /usr/local/mysqlc/var/mysql.sock mysql.default_host = localhost MySQL was compiled with the following flags: --enable-static --localstatedir=/usr/local/mysqlc/var --with-libwrap=/usr --with-mysqld-user=mysqlc --with-unix-socket-path=/usr/local/mysqlc/var/mysql.sock --with-tcp-port=3306 --without-bench --without-mit-threads Error returned: Warning: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Warning: MySQL Connection Failed: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Script that returned the error: ? mysql_connect(localhost,joeuser,joepassword); ? By the way, if someone would care to write a patch for: http://www.php.net/bugs.php?id=11767 I'd appreciate it cause i got poor C skills ;p --- The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online. Full Bug description available at: http://bugs.php.net/?id=11863 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #11863 Updated: Cannot connect to mysql server
ID: 11863 User Update by: [EMAIL PROTECTED] Status: Open Bug Type: MySQL related Operating system: Unix PHP Version: 4.0.6 Description: Cannot connect to mysql server By the way, i've been testing a few things and php will connect to the database if i trick it into using tcp connection instead of socket connection and using LAN ip address instead of 'localhost' or loopback IP address. Won't work: ? mysql_connect(localhost:3306, me,mypass); ? Won't work either: ? mysql_connect(localhost:/path/to/socket, me,mypass); ? Works (when i define sql to be LAN ip address of server): ? mysql_connect(sql, me,mypass); ? Previous Comments: --- [2001-07-04 15:41:18] [EMAIL PROTECTED] of course ;) http://www.kheos.net/info.php I'm making it right now so by the time you see this post it'll be available. Best regards, Veins --- [2001-07-04 13:35:14] [EMAIL PROTECTED] Hello, can you make a page with ?php phpinfo(); ? available to us? Derick --- [2001-07-03 16:44:53] [EMAIL PROTECTED] Yeah, the server is actually running as i can connect to it from console. The socket is set srwxrwxrwx so it is also ok i presume. The exact same configuration used to work with php-4.0.5 :/ --- [2001-07-03 16:41:17] [EMAIL PROTECTED] Yeah, the server is actually running as i can connect to it from console. The socket is set srwxrwxrwx so it is also ok i presume. The exact same configuration used to work with php-4.0.5 :/ --- [2001-07-03 16:32:07] [EMAIL PROTECTED] It works fine here. Are you sure MySQl is actually running, and are the permissions on the socket correct? Derick --- The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online. Full Bug description available at: http://bugs.php.net/?id=11863 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #11863: Cannot connect to mysql server
From: [EMAIL PROTECTED] Operating system: Unix PHP version: 4.0.6 PHP Bug Type: MySQL related Bug description: Cannot connect to mysql server I am using php-4.0.6 with MySQL-3.23.39 and there seems to be a problem with connecting to the database server. Problem that didn't happen with any previous version (even php-4.0.5 that i was using till today). phpinfo() shows a correct configuration and correct path to the socket, mysql server works correctly from console and i'm not using the bundled libraries (tried them also and it gave the same error). This was reproductible under OpenBSD-2.7-stable, OpenBSD-2.8, OpenBSD-2.8-stable, OpenBSD-2.9, OpenBSD-2.9-stable, Linux Debian (current), Linux RedHat 7.0, Linux Slackware 7.1 and probably others. Configuration flags of PHP are: --with-apache=/usr/local/apache --with-mysql=/usr/local/mysqlc --with-openssl=/usr/local/ssl --with-gd=/usr/local/gd --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-zlib-dir=/usr/local --with-ttf=/usr/local --enable-apc --enable-calendar --enable-bcmath --enable-track-vars MySQL related configuration directives in php.ini are: mysql.allow_persistent = Off mysql.max_persistent = 0 mysql.max_links = 1000 mysql.default_port = 3306 mysql.default_socket = /usr/local/mysqlc/var/mysql.sock mysql.default_host = localhost MySQL was compiled with the following flags: --enable-static --localstatedir=/usr/local/mysqlc/var --with-libwrap=/usr --with-mysqld-user=mysqlc --with-unix-socket-path=/usr/local/mysqlc/var/mysql.sock --with-tcp-port=3306 --without-bench --without-mit-threads Error returned: Warning: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Warning: MySQL Connection Failed: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Script that returned the error: ? mysql_connect(localhost,joeuser,joepassword); ? By the way, if someone would care to write a patch for: http://www.php.net/bugs.php?id=11767 I'd appreciate it cause i got poor C skills ;p -- Edit Bug report at: http://bugs.php.net/?id=11863edit=1 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #11863 Updated: Cannot connect to mysql server
ID: 11863 User Update by: [EMAIL PROTECTED] Old-Status: Feedback Status: Open Bug Type: MySQL related Operating system: Unix PHP Version: 4.0.6 Description: Cannot connect to mysql server Yeah, the server is actually running as i can connect to it from console. The socket is set srwxrwxrwx so it is also ok i presume. The exact same configuration used to work with php-4.0.5 :/ Previous Comments: --- [2001-07-03 16:32:07] [EMAIL PROTECTED] It works fine here. Are you sure MySQl is actually running, and are the permissions on the socket correct? Derick --- [2001-07-03 16:28:24] [EMAIL PROTECTED] I am using php-4.0.6 with MySQL-3.23.39 and there seems to be a problem with connecting to the database server. Problem that didn't happen with any previous version (even php-4.0.5 that i was using till today). phpinfo() shows a correct configuration and correct path to the socket, mysql server works correctly from console and i'm not using the bundled libraries (tried them also and it gave the same error). This was reproductible under OpenBSD-2.7-stable, OpenBSD-2.8, OpenBSD-2.8-stable, OpenBSD-2.9, OpenBSD-2.9-stable, Linux Debian (current), Linux RedHat 7.0, Linux Slackware 7.1 and probably others. Configuration flags of PHP are: --with-apache=/usr/local/apache --with-mysql=/usr/local/mysqlc --with-openssl=/usr/local/ssl --with-gd=/usr/local/gd --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-zlib-dir=/usr/local --with-ttf=/usr/local --enable-apc --enable-calendar --enable-bcmath --enable-track-vars MySQL related configuration directives in php.ini are: mysql.allow_persistent = Off mysql.max_persistent = 0 mysql.max_links = 1000 mysql.default_port = 3306 mysql.default_socket = /usr/local/mysqlc/var/mysql.sock mysql.default_host = localhost MySQL was compiled with the following flags: --enable-static --localstatedir=/usr/local/mysqlc/var --with-libwrap=/usr --with-mysqld-user=mysqlc --with-unix-socket-path=/usr/local/mysqlc/var/mysql.sock --with-tcp-port=3306 --without-bench --without-mit-threads Error returned: Warning: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Warning: MySQL Connection Failed: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Script that returned the error: ? mysql_connect(localhost,joeuser,joepassword); ? By the way, if someone would care to write a patch for: http://www.php.net/bugs.php?id=11767 I'd appreciate it cause i got poor C skills ;p --- Full Bug description available at: http://bugs.php.net/?id=11863 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #11863 Updated: Cannot connect to mysql server
ID: 11863 User Update by: [EMAIL PROTECTED] Status: Open Bug Type: MySQL related Operating system: Unix PHP Version: 4.0.6 Description: Cannot connect to mysql server Yeah, the server is actually running as i can connect to it from console. The socket is set srwxrwxrwx so it is also ok i presume. The exact same configuration used to work with php-4.0.5 :/ Previous Comments: --- [2001-07-03 16:41:17] [EMAIL PROTECTED] Yeah, the server is actually running as i can connect to it from console. The socket is set srwxrwxrwx so it is also ok i presume. The exact same configuration used to work with php-4.0.5 :/ --- [2001-07-03 16:32:07] [EMAIL PROTECTED] It works fine here. Are you sure MySQl is actually running, and are the permissions on the socket correct? Derick --- [2001-07-03 16:28:24] [EMAIL PROTECTED] I am using php-4.0.6 with MySQL-3.23.39 and there seems to be a problem with connecting to the database server. Problem that didn't happen with any previous version (even php-4.0.5 that i was using till today). phpinfo() shows a correct configuration and correct path to the socket, mysql server works correctly from console and i'm not using the bundled libraries (tried them also and it gave the same error). This was reproductible under OpenBSD-2.7-stable, OpenBSD-2.8, OpenBSD-2.8-stable, OpenBSD-2.9, OpenBSD-2.9-stable, Linux Debian (current), Linux RedHat 7.0, Linux Slackware 7.1 and probably others. Configuration flags of PHP are: --with-apache=/usr/local/apache --with-mysql=/usr/local/mysqlc --with-openssl=/usr/local/ssl --with-gd=/usr/local/gd --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-zlib-dir=/usr/local --with-ttf=/usr/local --enable-apc --enable-calendar --enable-bcmath --enable-track-vars MySQL related configuration directives in php.ini are: mysql.allow_persistent = Off mysql.max_persistent = 0 mysql.max_links = 1000 mysql.default_port = 3306 mysql.default_socket = /usr/local/mysqlc/var/mysql.sock mysql.default_host = localhost MySQL was compiled with the following flags: --enable-static --localstatedir=/usr/local/mysqlc/var --with-libwrap=/usr --with-mysqld-user=mysqlc --with-unix-socket-path=/usr/local/mysqlc/var/mysql.sock --with-tcp-port=3306 --without-bench --without-mit-threads Error returned: Warning: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Warning: MySQL Connection Failed: Can't connect to local MySQL server through socket '/usr/local/mysqlc/var/mysql.sock' (13) in /home/www/k/kheos.net/test.php on line 3 Script that returned the error: ? mysql_connect(localhost,joeuser,joepassword); ? By the way, if someone would care to write a patch for: http://www.php.net/bugs.php?id=11767 I'd appreciate it cause i got poor C skills ;p --- Full Bug description available at: http://bugs.php.net/?id=11863 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #11767 Updated: Bad escape sequence
ID: 11767 User Update by: [EMAIL PROTECTED] Status: Open Bug Type: Program Execution Operating system: Unix PHP Version: 4.0.6 Description: Bad escape sequence I had some time this morning to check for the infamous bug and while watching standart/exec.c I found out that the index of chars that should be backslashed didn't include \x20. File was modified in consequence and after a recompilation i was surprised to see that it didn't work :/ If anyone plans to correct this, do not add \x20 to the index of chars cause it would also backslash spaces between the binary name and the vars. The same example as previous post would _try_ to execute `echo.sh\ this\ ìs\ a\ test` as a single command :( I would like to point to the fact that this bug affects many, many, many people using a system based authentication as it prevents users from log into whatever they want to log into correctly. It prevents also the use of any kind of system() function when a space is needed anywhere in the call. Previous Comments: --- [2001-06-28 02:27:48] [EMAIL PROTECTED] When safe_mode is set to On, it is impossible to pass a variable that contains a string with a space in it as an argument to any system() like function. The following script shows the problem: ? $somevar = this is a test; exec(echo.sh $somevar, $return); echo $return[0]; ? echo.sh being a simple shell script that echoes back anything that we feed it. The following PHP script will display 'this' instead of 'this is a test'. I tried backslashing every chars of the variable by writing a simple function but spaces seems not to be correctly passed to the shell script. The same script executed when safe_mode is set to off works perfectly... Veins - [EMAIL PROTECTED] --- Full Bug description available at: http://bugs.php.net/?id=11767 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #11767: Bad escape sequence
From: [EMAIL PROTECTED] Operating system: Unix PHP version: 4.0.6 PHP Bug Type: Unknown/Other Function Bug description: Bad escape sequence When safe_mode is set to On, it is impossible to pass a variable that contains a string with a space in it as an argument to any system() like function. The following script shows the problem: ? $somevar = this is a test; exec(echo.sh $somevar, $return); echo $return[0]; ? echo.sh being a simple shell script that echoes back anything that we feed it. The following PHP script will display 'this' instead of 'this is a test'. I tried backslashing every chars of the variable by writing a simple function but spaces seems not to be correctly passed to the shell script. The same script executed when safe_mode is set to off works perfectly... Veins - [EMAIL PROTECTED] -- Edit Bug report at: http://bugs.php.net/?id=11767edit=1 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]