HI all! i'm trying to build a little control panel for my server. but when i use exec("/sbin/shutdown -r now") it doesn't work suggestions?
If You'd look at the results of phpinfo(); function You'd see the answer. The user which Apache is ran as isn't authorised to restart Your system and that's a good thing. Imagine if Your clients would use exec() to mess things up on the server. Therefore it's recommended to run Apache as a user whith low privileges and to disable dangerous functions in PHP. You can't easily run Apache as root.
ok, so, the 'php shutdown' isn't reccomended, other methods to shutdown the system from a script (Perl, Python etc...)??
How about Bash ? Imagine a situation when a php script once ran would create a text file in for example /tmp and cron would periodically run a bash script,which would check if that file exists and if it does it would delete it and cause the system to reboot.Then You'd have to protect the php script from unauthorised users.
What is going to prevent a user on the web server actually creating that file and taking down your host ?
Unauthorised users would have to know the filename created by the php script.The script would have to be somehow hidden.Permissions would have to be set so that it would only be accessible from a certain ip address.It could also require a username and password to run. There are a lot of ways to prevent access to a script.It's not so easy to know what it does since You can only see the output in html. There will never be a way to fully protect a machine connected to a network but that way of rebooting a computer is safer than using Apache and php to directly enter the command.
Thats not a problem unless you are encoding the files The control panel or the cron script All control panels do, how are you going to set a username and password on a cron script ? Agreed, but having a sentry file on a server to get some privilaged action to run is a sure way of getting your system exploited. Apache / php are all dependent on the quality of code your php is written in, webmin runs as root and does all these things but its not every day that you get exploits in it.
Steve Levy, in his excellent computer history book, Hackers: Heros of the Computer Revolution, told of a story in an early computer science lab, where students saw it as a challenge to crash the system. So many students succeeded at it that the administrators added a crash command that would crash the computer. That took all the fun out of it, so everyone stopped trying. If the system is a small, non-critical system with limited access, you might just set the user ID bit on /sbin/shutdown so anyone can shut it down. Code: chmod u+s /sbin/shutdown
I meant the php script. We are not discussing the whole control panel idea here but only the part that let's users reboot the system. The way I've described was my example which seems better than using Apache to do it but offcourse isn't hacker-proof. I'm waiting to read about another safer possibilities.
I meant the php script. We are not discussing the whole control panel idea here but only the part that let's users reboot the system. The way I've described was my example which seems better than using Apache/PHP to do it but offcourse isn't hacker-proof. I'm waiting to read about another safer possibilities.
