Hoping someone can help me out here. Trying to run any command using exec() returns 126 and displays the same error message. I've narrowed it down to this pretty minimal test case. SELinux and PHP safe mode are not enabled permissions are fine on /, /bin/, and /bin/ls asterisk is a system user created with this command: adduser -d /var/lib/asterisk

Can’t run PHP exec() on command line

Hoping someone can help me out here. Trying to run any command using exec() returns 126 and displays the same error message. I’ve narrowed it down to this pretty minimal test case.

root@test:~ $ sudo -u asterisk php -r 'exec("ls /", $out, $result); var_dump($result);'
sh: /bin/ls: Permission denied
int(126)

root@test:~ $ sudo -u asterisk ls /
bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt   opt   proc  root  sbin  selinux  srv  sys  tmp  usr  var

root@test:~ $ su -lc 'php -r '''exec("ls /", $out, $result); var_dump($result);'' asterisk
This account is currently not available.

JavaScript
​x
 
root@test:~ $ sudo -u asterisk php -r 'exec("ls /", $out, $result); var_dump($result);'sh: /bin/ls: Permission deniedint(126)​root@test:~ $ sudo -u asterisk ls /bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt   opt   proc  root  sbin  selinux  srv  sys  tmp  usr  var​root@test:~ $ su -lc 'php -r '''exec("ls /", $out, $result); var_dump($result);'' asteriskThis account is currently not available.​

SELinux and PHP safe mode are not enabled
permissions are fine on /, /bin/, and /bin/ls
asterisk is a system user created with this command: adduser -d /var/lib/asterisk -M -r -s /sbin/nologin asterisk
it works fine via Apache, which runs as this user

Every attempt to run any command returns permission denied and 126 as $?. The PHP config is pretty much as it shipped (Scientific Linux 6.7, PHP 5.4 via Remi package.)

Would appreciate some assistance (preferably the kind that would require some arcane knowledge, not the kind that means I missed something blindingly obvious!)

Edit: I can get it to work using su if I give the user a login shell:

root@test:~ $ usermod -s /bin/bash asterisk
root@test:~ $ su -c 'php -r '''exec("ls /", $out, $result); var_dump($result);'' asterisk
int(0)

JavaScript
 
root@test:~ $ usermod -s /bin/bash asteriskroot@test:~ $ su -c 'php -r '''exec("ls /", $out, $result); var_dump($result);'' asteriskint(0)​

However, this isn’t my code so changing all the use of sudo to su is not likely to happen. Also, there shouldn’t be anything stopping PHP from running this without a login shell.

Answer

You probably have enabled sudo option NOEXEC.

When this option is active, you can run command with high privilege, but cannot spawn other commands. This is (AFAIK) required to avoid an exploiter to gain a shell. Since you are using the asterisk user, this also makes much sense.

In your case, PHP command is granted the execution as asterisk user, but when it tries to spawn with exec, the command cannot be executed and it returns 126.

EDIT (as in comment below)

Adding this line to sudoers will solve this issue:

root ALL = (ALL) EXEC: ALL

JavaScript
 
root ALL = (ALL) EXEC: ALL​

Advertisement

Answer