How to get shell_exec to run on IIS 6.0

The Problem

I have a PHP script that uses shell_exec to run a pdf-to-text converter. To simplify the problem I've created a short script that uses shell_exec to just echo the output of the dir command.

<?php
$cmd = 'C:\\WINDOWS\\system32\\cmd.exe /c ';
echo shell_exec($cmd.' dir');
?>

When I run this on my Apache server, everything works as expected. When I sw开发者_如何学编程itch to IIS, it's as though the line is skipped entirely: no errors, no output, no logs, no nothing.

Unfortunately, I need to use IIS because I'm going to authenticate my users against active directory.

Here's what I've tried so far:

• Issue the command through cmd.exe /c rather than issuing it directly
• Give Read & Execute permission to SERVICE on "C:\WINDOWS\system32\cmd.exe"
• Give Read & Execute permission to NETWORK SERVICE on "C:\WINDOWS\system32\cmd.exe"
• Give Read & Execute permission to IUSR_MACHINENAME on "C:\WINDOWS\system32\cmd.exe"
• Give Read & Execute permission to Everyone on "C:\WINDOWS\system32\cmd.exe" (don't worry, it didn't stay like that for long, haha)
• Run PHP as an ASAPI module
  • This is my standard configuration
• Run PHP as a CGI extention
  • This does not work, I get an error: CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers.
• In IIS Manager, set Execute Permissions to Scripts and Executables on your website
• Added html markup and other php functions to script to see if that gets processed; it does. It's as if the shell_exec bit just gets skipped.

Thank you so much for looking at this question, I am now pulling my hair out with the problem

Cheers, Iain

Update 1

I really didn't want to do this, but as a stop gap until I find a proper solution I'm running Apache on the web server (which runs shell_exec fine) and I call my apache script via cURL. It's ugly, but it works :).

Update 2

I'm beginning to think this isn't so much an issue with IIS or permissions as such, but perhaps a result of some policy we have on our network - although I can't imagine what. Any ideas from left of field?

Below is a more systematic way to determine which user needs to be granted permission

Confirm that you have the following executables in C:\WINDOWS\SYSTEM32 (or more generically %systemroot%\system32)

cmd.exe  
whoami.exe  

Check the current ACL for these executables

c:\windows\system32> cacls cmd.exe  
c:\windows\system32> cacls whoami.exe  

If the user "Everyone" is not granted Read (R) access, then TEMPORARILY grant as follows

c:\windows\system32> cacls cmd.exe /E /G everyone:R  
c:\windows\system32> cacls whoami.exe /E /G everyone:R  

Create whoami.php with the following content

<?php  
$output = shell_exec("whoami");  
echo "<pre>$output</pre>";  
?>  

Load whoami.php on a web browser and note the username displayed e.g. in my case it showed

ct29296\iusr_template

Revoke "Everyone's" permission if it had to be added in above steps

c:\windows\system32> cacls cmd.exe /E /R everyone  
c:\windows\system32> cacls whoami.exe /E /R everyone  

Grant only the username found in step 5 with the Read+Execute permission (R) to cmd.exe

c:\windows\system32> cacls cmd.exe /E /G ct29296\iusr_template:R  

Remember to use the correct username for your own system.

See: http://www.myfaqbase.com/index.php?q=php+shell_exec&ul=0&show=f

Here's a few points:

• Regarding PHP skipping the shell_exec function, make sure that PHP is not running in safe mode. From the PHP manual - on the shell_exe page:

Note: This function is disabled when PHP is running in safe mode.

It also appears that this is quite a known problem with executing shell commands from PHP in Windows. The consensus seems to be that the best way to get it to work is to have PHP running in FastCGI mode (I know you tried this already and said you couldn't get it to work - hence my second point). You may find this Microsoft IIS Forum thread helpful.

• Now, as far as having to run PHP on Windows in order to authenticate against Active Directory - you don't have to!

Apache provides LDAP authentication via the mod_auth_ldap. And PHP provides LDAP support through the following functions:

• ldap_connect
• ldap_bind
• ldap_search
• ldap_get_entries

Active Directory is an implementation of LDAP. So, you with any LDAP client you can perform authentication against Active Directory.

• An example of how to authenticate with Active Directory from PHP.

P.S. You can either use the Apache mod_auth_ldap, or the PHP LDAP functions - you don't need to use both at the same time to make this work. The Apache mod_auth_ldap works at the HTTP protocol level, whereas the PHP LDAP Functions give you more control over the authentication and authorization process.

couple of notes

if you want to execute a .exe directly, you can use proc_open() with $other_options=array('bypass_shell'=>TRUE)

also procmon.exe (sysinternals) is you best friend when digging into this class of problem

I'd say Read & Execute permission to the User thats running IIS (if thats not IUSR_MACHINENAME)

Unfortunately, I need to use IIS because I'm going to authenticate my users against active directory.

The premise for basing your application on IIS is flawed. There's nothing to stop you doing this with Apache. Indeed, you don't even need to run it on a MS-Windows OS.

Have a google for how to set up all this up.

Note that with IIS and local clients potentially using NTLM, the security policy gets thrown out of the window. The IIS handler thread may run with the credentials of a NTLM MSIE client. Or not. Debugging this stuff will drive you mad!

C.

I added the user NETWORK SERVICE with READ & EXECUTE, READ to the directories where the executables of my application resides. Since this alteration, the problem is gone. Nevertheless, it's also neccessary to grant the permissions READ & EXECUTE, READ for IUSR_ to cmd.exe.

The solution I got from here http://forums.iis.net/t/1147892.aspx