|
Posted by Jim Poserina on 10/04/14 11:11
If I run this PHP script:
<?php
echo '<pre>';
echo exec('whoami');
echo '</pre>';
?>
from the web, the output is
<pre></pre>and from the command line running as the apache user(webuser),
the output is.
Content-type: text/html
X-Powered-By: PHP/4.3.9
<pre></pre>But if I run from the command line as root, the output is:
Content-type: text/html
X-Powered-By: PHP/4.3.9
<pre>root</pre>and from the command line as a user in the root group, the
output is:
Content-type: text/html
X-Powered-By: PHP/4.3.9
<pre>jimpoz</pre>Safe mode is turned off. As webuser (or any non-root-group
user), no shell commands work. Not echo, not ls, not whoami, not touch. And
no shell functions work: no exec(), no passthru(), no shell_exec(), no
backticks. Every command I'm trying to run is world-readable and
world-executable.
If I turn safe mode on, it gives me a "safe mode is on" warning only about
lines that call shell_exec(), and not for exec() or any of the others. Other
than that, it doesn't hang or give any kind of error or anything when it
comes to a shell function call; apparently it just ignores them.
Anyone know what's wrong? I've been staring at this thing for three days and
have come up empty.
Thanks,
Jim
[Back to original message]
|