I have to allow a PHP script on my small local web server, to SSH to a different machine to carry out a specified task on some files. My httpd runs as _www with low permissions, so establishing direct passwordless SSH is tough, not saying ill-advised.

Generate an income do it is to possess a minimal PHP script that sudo-exec's (as me) a spend script that is outdoors from the document root. The spend script consequently calls (as me) the PHP code that does the particular SSH work, and prints its output. Here's the code.

read_remote_files.php (The script I call from the browser):

exec('sudo -u me -n /home/me/run_php.sh /path/to/my_prog.php', $results);
print $results;

/home/me/run_php.sh (Runs as me, calls whatever it's given):

php $1 2>&1


_www ALL = (me) NOPASSWD: /home/me/run_php.sh

All of this works, as my_prog.php is known as as me and may SSH as me. It appears it isn't too insecure since run_php.sh can not be known as from a browser (outdoors document root). The problem I am getting is the fact that my_prog.php is not known as being an HTTP program so does not have the HTTP atmosphere variables (DOCUMENT_ROOT etc).

Two questions:

  1. Shall We Be Held causeing this to be too complicated?
  2. Can there be a good way for my final script to obtain the HTTP variables?

Thanks! Andy

Many systems do that utilizing a (fortunate) cron job that frequently inspections for the presence of personal files, a database record as well as other resource, after which works actions if you will find any.

The large benefit of this really is that there's no direct interaction between your PHP script and also the fortunate script whatsoever. The PHP script leaves the instructions inside a resource, the fortunate script brings it. As lengthy because the instructions can't result in the system getting jeopardized or broken, it's certainly safer than sudoing.

The disadvantage is you can't push changes if you like you need to hold back until the cron job runs again. But it can be a choice anyway?

"I have to allow a PHP script on my small local web server, to SSH to a different machine to carry out a specified task on some files."

I believe that you're phrasing this when it comes to a solution you have difficulty in dealing with work as opposed to a requirement. Surely what you need to be saying is "I wish to invoke an activity on machine B from the PHP script running under Apache on Machine A." After which research methods to this -- that you will find many from the simple 'roll-your-own' RPC tunnelled over HTTP(S) to presenting an XMLRPC or SOA framework.

Two caveats:

  • Perform a phpinfo() on machines to check on what extensions can be found and
  • Also look at your php.ini setting to make certain that the company has not disabled any functions that you simply be prepared to use (or perform a Q&D script to echo 'disable_functions = ' . ini_get('disable_functions') . "\n"; ...)

Should you browse here and also the wider internet you will find many good examples. Here is a which i use for the same purpose.