Granting sudo to PHP Script For Running Shell Commands
Giving sudo to PHP is one of the several ways to execute a shell command from a web interface. It is probably not one of the most secure methods, so I recommend not doing this on a server which has outside (WAN) internet access because of the possibility of malicious code being executed. A person with ill intent could then access your entire network, including any shared files, network attached storage, etc. You need to be careful with this.
First, I’ll cover alternative methods and then I’ll jump into how to do it with PHP.
Alternative Methods
- Use a text file to serve as the current command for the GPIO pin. Use a
cron
job to execute a python script every minute that reads the text file and parses the instructions for each relay.- Cons
- Slow. Cron jobs can only be executed as frequently as every minute. That’s how the system was designed. There are work arounds to this by using a while loop in python code, though.
- Requires more coding
- Granting super user to www-data
- Cons
- Easily the least secure method of doing this. By granting superuser to www-data, you are giving superuser to every file that is executed by apache. This is a huge security risk that probably will result in compromise of your server. Don’t do it.
- A variant of #1 is storing the desired state of the system in a MySQL database and reading it from python. This may be the simplest method because interacting with MySQL in python is very easy to do.
- Running NodeJS and using socket.io to execute commands. This involves running a webserver in Node and interacting with the Node script with socket.io. I may cover how to do this in a future write-up.
Editing Your sudoers
Now, on to how to give permission to PHP. You are modifying /etc/sudoers
to allow a specific PHP file to have sudo rights. I’ll mention security again. If you have an unsecure script, say you are using HTTP GET to send the command to the script, users with access will have free power to execute any command they wish.
- Edit the sudoers file to include your script. Note that you really should use
visudo
instead of editing the file directly as this is a safer method. You obviously need root do this.
1# visudo - You will see your sudoers file in a text editor. Here is a screenshot of mine:
- Now we are going to add the permission for www-data (Apache user) to our sudoers file. We don’t want to prompt for a password, so we add
NOPASSWD
. Add the following text under the#User privilege specification section
:
1www-data ALL=NOPASSWD: /path/to/script.php - Your sudoers should now look something like this:
- You can get very specific in your sudoers permissions by only allowing specific commands to be executed. This is a very secure method of ensuring nothing malicious gets executed:
1www-data ALL=NOPASSWD: /usr/sbin/echo high > /sys/class/gpio/gpio60/direction
Note that this is not file-specific, so any file executable by www-data will be able to run this command. This would be useful if you are controlling your GPIO pins in multiple scripts, but you could do this easier using a function() to call this command. - Close and save the file. How to do this will depend on the editor. I am running debian, so nano was the editor used. Press
ctrl+x
followed by “y” to save the file. If you are usingvi
, hit esc and then type “:x”.
We’ll cover how to do the actual control in a later post.
Are you covering how to do the actual control in a later post?
but in my case path is not fixed as a temporary directory get generated and script inside it need to be executed. Name of temporary file is not fixed it may vary then how can i put name here.
my file path is not fixed so hwo can i put it there.