PHP script can't run bash script. sh: Permission denied

Question

I'm trying to exec a .sh script from PHP, however it is not executing.

I checked the error logs, and I'm getting the 'sh: Permission denied' error. I checked under which user php is being run, and it's done under the apache user.

I tried changing the .sh's ownership to the apache user, but there is no result.

I thought at first this was because the script was outside the www/ dir, however even when I put the script in the same directory, the error is still being given.

Are there any solutions to this other than adding the apache user to the SUDOers list?

The sh script runs fine if I launch it from putty using the 'php filename.php' command.

Answer 1

Try the following suggestions:

• Try to run below test command, and check whether it worked:
  • php -r "echo exec('whoami');"
• Make sure that all parent directories and the files have at least r-x flag permissions:
  • chmod 755 dir; chmod 755 file
• Make sure that the owner of the file is your Apache user.
  • Try also to add a +s flag (sudo) to the file (not recommended):
    • chmod u+s file,
• Make sure that your PHP is not running in a safe_mode.
• Make sure that the script is inside your Apache root:
  • Otherwise, move the script inside it,
  • or add that directory to your Apache configuration,
  • or add this directory to your include_path, e.g.:
    • php.ini file: include_path ".:/usr/local/lib/php:/your/dir"
    • or .htaccess file: php_value include_path ".:/usr/local/lib/php:/your/dir"
• Check whether your shell is set to valid (e.g. /bin/sh) to your Apache user (e.g. check with: finger).
• Make sure that your php.ini doesn't use: disable_functions for exec function
• If using SELinux or having selinux-utils installed (a Security-enhanced Linux system), check getenforce/setenforce configuration as described in @Tonin answer.

Troubleshooting:

• If you changed your php.ini or httpd.conf file, don't forget to restart the web server,
• Check your Apache error log for additional details.
• Enable in your php.ini all kind of errors (display_error, error_reporting, etc.).

Answer 2

Such an issue might depend on the OS you use and how it is configured. Some linux distros (mainly those based on RHEL like CentOS or Fedora) come with SELinux activated by default. This can be checked, and temporarily changed, with the following commands:

root@ls:~# /usr/sbin/getenforce 
Enforcing
root@ls:~# /usr/sbin/setenforce Permissive
root@ls:~# /usr/sbin/getenforce 
Permissive

You can also have a more complete view on the current configuration with:

root@ls:~# /usr/sbin/sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

This change can be made permanent by editing the /etc/selinux/config file and set the SELINUX variable to permissive or disabled.

But, the correct way to solve this kind of issue, if you are indeed in this situation, is to check the /var/log/audit/audit.log log file. It will contain all the events related to SELinux rules. You'll then probably should give your script the correct context, i.e. being authorized to be run by the apache/php user. Checking SELinux security context is done with ls -Z:

root@ls:~# ls -alZ /var/www/cgi-bin/
drwxr-xr-x  root root system_u:object_r:httpd_sys_script_exec_t .
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t ..

This list the User, the Role and the Type of each file/directory. Here the httpd_sys_script_exec_t type gives the files in the cgi directory the permission to be executed by httpd. Your shell script should probably have the same type.

You can also feed the audit.log lines to the audit2allow command. It will output you the changes needed to make SELinux happy. But usually the changes suggested need to be done on the SELinux policy itself which is not what you should do in your case (still, this output can give some clue at what is going on).

The following page describe a similar issue and different ways to solve it: http://sheltren.com/stop-disabling-selinux

Answer 3

So I got here after searching for a similar issue on Google. I thought to drop that the comment about SELinux pointed me in the right direction.

In my own case, I was using a custom Git deploy script that uses a shell command. The command works fine on BASH but then has "permission denied" and "not a repository" on Git. This was really strange and I went through multiple fixes until I stumbled on this answer.

root@ls:~# /usr/sbin/setenforce Permissive solved the problem for me.

Answer 4

My situation is slightly different, but Google brought me here, so I thought I'd share...

My server is running debian stable and trying to execute a shell script worked once then the permissions automagically changed to 644 and the next attempt to run the script got Permission denied. It turned out to be a samba server issue for me and I didn't notice the pattern until now.

The QA Strange permission changes when saving file on a Samba partition from a Windows editor was the fix. I did not know about the map archive = no option even after using samba shares for a decade.

Something about using Notepad++ on a Windows desktop would change the target files' permissions to 675 instead of 775 as the umask is set up for.

Answer 5

Running root commands in PHP via Apache

I have a web application that needs to perform shells commands as root within a PHP function, and you would think that would be pretty straight forward… but it did take my a few googles to get all the details, so here are my handy notes on it. This is on a Linux system running Apache, and we’ll be using “sudo” within “shell_exec” to run the commands.

The main thing is to edit the /etc/sudoers file, and typically you can (as root) use the ”visudo” command to do so.

Make sure apache can run commands, AND not require a password:

apache  ALL=(ALL)       NOPASSWD: ALL

Then you need to comment out this line:

#Defaults    requiretty

If you don’t, then you will see these errors in /var/log/secure: “sorry, you must have a tty to run sudo”. Now you are ready to go, and the PHP code is simple:

$results = shell_exec(‘sudo date’);