Reply to Re: [PHP] Re: run remote shell script

Your name:

Reply:


Posted by Matthew Weier O'Phinney on 10/20/02 11:24

First off, Roger, Thomas, not sure which is your given name -- please
use a mail or news agent that will wrap your lines with linebreaks at 72
characters. Some of us are on text-based clients, and it's difficult to
read your posts when they extend beyond the screen boundaries... ;-)

* Roger Thomas <sniper@home.net.my> :
> OK. I am able to setup remote key authentication between svrA and
> svrB. From svrA I can login to svrB with something like
> [www@svrA www]$ ssh www@svrB
>
> and I can also execute a shell script like
> [www@svrA www]$ ssh www@svrB /tmp/test.sh
>
> On svrA I have a PHP script like so:
> <?
> system('ssh www@svrB /tmp/test.sh someDIR');
> ?>
>
> /tmp/test.sh on svrB is only a one liner like so:
> mkdir /tmp/$1
>
> I ran the script from the browser but the /tmp/someDIR is not created :(
> Could it be that user nobody on svrA is *not* allowed to connect to
> svrB because the public key belongs to user www ? How do I rectify
> this ?
>
> In the actual situation, I need to execute a shell script in svrB
> (from browser served by Apache on svrA) that only root can run. Please
> advise. I am getting very worried.

Okay, I should have been a little more explicit.

There are two ways I've done this. The initial details are different,
but the final call is pretty much the same.

1. Using sudo
'sudo' allows users to run commands as different users. In this case,
we want the user running the web server (usually www, apache, or
nobody) to run ssh, or a script that executes the ssh command, as a
normal user. I usually opt for the latter, and create a script such
as:

#!/bin/bash
exec ssh user@svrA /path/to/remote/script

and save it in /usr/local/bin. Then, edit sudoers (usually executing
'visudo' as root), and add a line like

nobody ALL = (username) NOPASSWD: /usr/local/bin/SCRIPTNAME

What this does is to allow the user 'nobody' (or whomever runs the
web server process) to execute /usr/local/bin/SCRIPTNAME as
'username', and they do not need to enter a password to do so
(normally with sudo you do).

You'll need to restart the webserver after granting the sudo
privileges.

In this scenario, the normal user, specified by 'username' above,
needs to have the the SSH keys setup between the servers.

2. Give the web user a home directory
The other option is to setup a home directory for the web user. This
will mean editing the /etc/passwd file to give the web user both a
home directory and a shell; these are teh last two items in the colon
delimited list. A sample entry might look like:

nobody:x:65534:65534:nobody:/var/www:/bin/bash

Once you've done this, restart the web server. At this point, you'll
then need to become the web user briefly in order to:

* generate an SSH key
* send the key to the remote server

Then, on the remote server, add the SSH key to the appropriate user
on that system.

Good luck!

> Quoting Matthew Weier O'Phinney <mweierophinney@gmail.com> :
>
> > * Roger Thomas <sniper@home.net.my> :
> > > My PHP script is in svrA. How do I run a shell script in svrB?
> > > svrB does not have PHP and Apache :(
> > > Is this at all possible? Please advise.
> >
> > Use ssh. You will have to setup remote key authentication from svrA to
> > svrB (so that a password will not be needed), and then in your script
> > you would call:
> >
> > system('ssh svrB /path/to/scriptToRun');

--
Matthew Weier O'Phinney
Zend Certified Engineer
http://weierophinney.net/matthew/

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация