Granting sudo to PHP Script For Running Shell Commands

 Jan, 28 - 2014   3 comments   BeagleBoneLinux

Giving sudo to PHP is one of the several ways to execute a shell command from a web interface. It is probably not one of the most secure methods, so I recommend not doing this on a server which has outside (WAN) internet access because of the possibility of malicious code being executed. A person with ill intent could then access your entire network, including any shared files, network attached storage, etc. You need to be careful with this.

First, I’ll cover alternative methods and then I’ll jump into how to do it with PHP.

Alternative Methods

  1. Use a text file to serve as the current command for the GPIO pin. Use a cron job to execute a python script every minute that reads the text file and parses the instructions for each relay.
    • Cons
    • Slow. Cron jobs can only be executed as frequently as every minute. That’s how the system was designed. There are work arounds to this by using a while loop in python code, though.
    • Requires more coding
  2. Granting super user to www-data
    • Cons
    • Easily the least secure method of doing this. By granting superuser to www-data, you are giving superuser to every file that is executed by apache. This is a huge security risk that probably will result in compromise of your server. Don’t do it.
  3. A variant of #1 is storing the desired state of the system in a MySQL database and reading it from python. This may be the simplest method because interacting with MySQL in python is very easy to do.
  4. Running NodeJS and using socket.io to execute commands. This involves running a webserver in Node and interacting with the Node script with socket.io. I may cover how to do this in a future write-up.

Editing Your sudoers

Now, on to how to give permission to PHP. You are modifying /etc/sudoers to allow a specific PHP file to have sudo rights. I’ll mention security again. If you have an unsecure script, say you are using HTTP GET to send the command to the script, users with access will have free power to execute any command they wish.

  1. Edit the sudoers file to include your script. Note that you really should use visudo instead of editing the file directly as this is a safer method. You obviously need root do this.
  2. You will see your sudoers file in a text editor. Here is a screenshot of mine:
    sudo to PHP
  3. Now we are going to add the permission for www-data (Apache user) to our sudoers file. We don’t want to prompt for a password, so we add NOPASSWD. Add the following text under the #User privilege specification section:
  4. Your sudoers should now look something like this:
    sudo2
  5. You can get very specific in your sudoers permissions by only allowing specific commands to be executed. This is a very secure method of ensuring nothing malicious gets executed:

    Note that this is not file-specific, so any file executable by www-data will be able to run this command. This would be useful if you are controlling your GPIO pins in multiple scripts, but you could do this easier using a function() to call this command.
  6. Close and save the file. How to do this will depend on the editor. I am running debian, so nano was the editor used. Press ctrl+x followed by “y” to save the file. If you are using vi, hit esc and then type “:x”.

We’ll cover how to do the actual control in a later post.


Related articles

 Comments 3 comments

  • Josh says:

    Are you covering how to do the actual control in a later post?

  • Manish says:

    but in my case path is not fixed as a temporary directory get generated and script inside it need to be executed. Name of temporary file is not fixed it may vary then how can i put name here.

  • Manish says:

    my file path is not fixed so hwo can i put it there.


  • Leave a Reply

    Your email address will not be published. Fields with * are mandatory.