Shutdown centOS from PHP

Discussion in 'Programming/Scripts' started by redem, Apr 13, 2008.

  1. redem

    redem New Member

    HI all!
    i'm trying to build a little control panel for my server.
    but when i use exec("/sbin/shutdown -r now") it doesn't work :confused:

    suggestions?
     
  2. Leszek

    Leszek New Member

    If You'd look at the results of phpinfo(); function You'd see the answer.
    The user which Apache is ran as isn't authorised to restart Your system and that's a good thing.
    Imagine if Your clients would use exec() to mess things up on the server.
    Therefore it's recommended to run Apache as a user whith low privileges and to disable dangerous functions in PHP.
    You can't easily run Apache as root.
     
  3. redem

    redem New Member

    ok, so, the 'php shutdown' isn't reccomended, other methods to shutdown the system from a script (Perl, Python etc...)??
     
  4. Leszek

    Leszek New Member

    How about Bash ?
    Imagine a situation when a php script once ran would create a text file in for example /tmp and cron would periodically run a bash script,which would check if that file exists and if it does it would delete it and cause the system to reboot.Then You'd have to protect the php script from unauthorised users.
     
  5. topdog

    topdog Active Member HowtoForge Supporter

    Any control panel capable of doing anything has to run with root privilages.
     
  6. Leszek

    Leszek New Member

    In this case cron would have root privileges.
     
  7. topdog

    topdog Active Member HowtoForge Supporter

    What is going to prevent a user on the web server actually creating that file and taking down your host ?
     
  8. Leszek

    Leszek New Member

    Unauthorised users would have to know the filename created by the php script.The script would have to be somehow hidden.Permissions would have to be set so that it would only be accessible from a certain ip address.It could also require a username and password to run. There are a lot of ways to prevent access to a script.It's not so easy to know what it does since You can only see the output in html.

    There will never be a way to fully protect a machine connected to a network but that way of rebooting a computer is safer than using Apache and php to directly enter the command.
     
  9. topdog

    topdog Active Member HowtoForge Supporter

    Thats not a problem unless you are encoding the files
    The control panel or the cron script
    All control panels do, how are you going to set a username and password on a cron script ?
    Agreed, but having a sentry file on a server to get some privilaged action to run is a sure way of getting your system exploited.

    Apache / php are all dependent on the quality of code your php is written in, webmin runs as root and does all these things but its not every day that you get exploits in it.
     
  10. KenJackson

    KenJackson New Member

    Steve Levy, in his excellent computer history book, Hackers: Heros of the Computer Revolution, told of a story in an early computer science lab, where students saw it as a challenge to crash the system. So many students succeeded at it that the administrators added a crash command that would crash the computer. That took all the fun out of it, so everyone stopped trying.

    If the system is a small, non-critical system with limited access, you might just set the user ID bit on /sbin/shutdown so anyone can shut it down.
    Code:
    chmod u+s /sbin/shutdown
     
  11. Leszek

    Leszek New Member

    I meant the php script.
    We are not discussing the whole control panel idea here but only the part that let's users reboot the system.
    The way I've described was my example which seems better than using Apache to do it but offcourse isn't hacker-proof.
    I'm waiting to read about another safer possibilities.
     
  12. Leszek

    Leszek New Member

    I meant the php script.
    We are not discussing the whole control panel idea here but only the part that let's users reboot the system.
    The way I've described was my example which seems better than using Apache/PHP to do it but offcourse isn't hacker-proof.
    I'm waiting to read about another safer possibilities.
     
    Last edited: Apr 15, 2008

Share This Page