PHP Exec Solaris svcadm

I am attempting to execute a svcadm command from PHP on a Solaris machine.

I have the following function which currently has two commands, who and the svcadm command I really want to run.

I am also aware that this code is very insecure and should never be exposed publicly.

private function RestartApacheImmediately(){
    var_dump($this->exec_enabled());
    $output = array();
    $returnvar = "";
    $cmd = 'who 2>&1';
    //$cmd = 'svcadm -v restart开发者_Go百科 apache 2>&1';
    echo $cmd;
    $return = exec($cmd, $output, $returnvar);
    var_dump($output);
    var_dump($return);
    var_dump($returnvar);
}

When I execute who, I get two users: x and y.

Both x and y are configured as Service Management profiles in /etc/user_attr .

When a run the commented out $cmd above, I get the following output to stderr:

svcadm: Could not set restarter_actions/auxiliary_tty property of svc:/network/http:apache: permission denied.

Any ideas?

EDIT: Resolution was as follows:

I got this to work by using the user_attr method I described above. However, what I discovered was that the httpd daemon was running as a different user than php reported upon executing the 'who' command. So it wasn't x or y, it was z. I determined this by doing a simple ps -e while logged in as root at the shell.

You need to add auths (value_authorization) to SMF Manifest on Apache HTTPD to perform the state value change as you can see above in a Apache Tomcat Example.

The value_authorization must be declared on /etc/security/auth_attr, for example,

# echo "solaris.org.apache.smf.value.tomcat:::Change value of Apache Tomcat::" >> /etc/security/auth_attr
# echo "solaris.org.apache.smf.manage.tomcat:::Manage Apache Tomcat service states::" >> /etc/security/auth_attr

And then edit the SMF Manifest to add the custom value_authorization, first on global section

<property_group name='general' type='framework'>
        <propval
             name='value_authorization'
             type='astring'
            value='solaris.org.apache.smf.value.tomcat' />
        <propval
            name='action_authorization'
            type='astring'
            value='solaris.org.apache.smf.manage.tomcat' />
</property_group>

And also on the method section you need to add the auth

   <property_group name='tomcat_6' type='application'>
                        <propval name='home' type='astring'
                           value='/opt/www/tomcat-6.0' />
                        <propval name='jvmargs' type='astring'
                           value='-d32 -Xms64m -Xmx128m' />
                        <propval name='java_home' type='astring'
                           value='/usr/java' />
             <propval name='value_authorization' type='astring'
                           value='solaris.org.apache.smf.value.tomcat' />
   </property_group>

I have an example (in Spanish) in my blog to put Apache Tomcat using RBAC and SMF

And at the end, you must add auth to the role or user running the script

# usermod -A solaris.org.apache.smf.manage.tomcat,solaris.org.apache.smf.value.tomcat webope

or for role

# rolemod -A solaris.org.apache.smf.manage.tomcat,solaris.org.apache.smf.value.tomcat webope

I hope it helps you,

Urko

Is the PHP process executing as a user that has permissions to perform the svcadm action? I tested the code you posted and got a similar result if php was running as a normal user.

/usr/local/bin/php apacherestart.php

but if I

sudo /usr/local/bin/php apacherestart.php

it worked fine for me and in fact gave me a few ideas of things I could do :)