php is not executing bash commands

[Obel]

Hi Guys

I am running apache server on Pi.
The server running correctly I can access standard apache site localhost and inside the network by 192.168.0.X

I have published fallowing site in path /var/www/html/lamp/index.html

which should allow be execute scripts:

Code: Select all

<html>
<head>
<meta charset="UTF-8" />
</head>


<?php
if (isset($_POST['ON']))
{
exec("sudo python /home/pi/Pimoroni/unicornhat/rainbow.py");
}
if (isset($_POST['OFF']))
{
exec("here will be command which terminate the script");
}
?>
<form method="post">
<button name="ON">turn On</button>&nbsp;
<button name="OFF">turn Off</button><br>

</form>
</html>

The site display correctly but don`t execute commands.

I have also add fallowing lines to sudoers file
sudo nano /etc/sudoers

Code: Select all

www-data ALL=(ALL) NOPASSWD: ALL
www-data ALL=NOPASSWD: /home/pi/Pimoroni/unicornhat/

Any idea what I am missing, because when I am pressing the "turn on" the system don`t execute the python script?

[DougieLawson]

Code: Select all

www-data ALL=(ALL) NOPASSWD: ALL
www-data ALL=NOPASSWD: /home/pi/Pimoroni/unicornhat/

Any idea what I am missing, because when I am pressing the "turn on" the system don`t execute the python script?

Undo that and find ANY other way to do what you're trying to do. That's 100% insecure because your webserver can now run any privileged command as root without requiring any security credentials.

What does your "rainbow.py" program do? Why does it need root privileges? Post the code on here (or a link to where the code came from).

[Obel]

rainbow.py is responsible for displaying animation on unicorn hat and has been delivered as sample by distributor. When I am running it without sudo I got bellow error message:

Code: Select all

 $ python /home/pi/Pimoroni/unicornhat/rainbow.py
Can't open /dev/mem: Permission denied
Segmentation fault

rainbow.py code below:

Code: Select all

#!/usr/bin/env python

import unicornhat as unicorn
import time, math, colorsys

print("Reticulating splines")
time.sleep(.5)
print("Enabled unicorn poop module!")
time.sleep(.5)
print("Pooping rainbows...")

i = 0.0
offset = 30
while True:
        i = i + 0.3
        for y in range(8):
                for x in range(8):
                        r = 0#x * 32
                        g = 0#y * 32
                        xy = x + y / 4
                        r = (math.cos((x+i)/2.0) + math.cos((y+i)/2.0)) * 64.0 + 128.0
                        g = (math.sin((x+i)/1.5) + math.sin((y+i)/2.0)) * 64.0 + 128.0
                        b = (math.sin((x+i)/2.0) + math.cos((y+i)/1.5)) * 64.0 + 128.0
                        r = max(0, min(255, r + offset))
                        g = max(0, min(255, g + offset))
                        b = max(0, min(255, b + offset))
                        unicorn.set_pixel(x,y,int(r),int(g),int(b))
        unicorn.show()
        time.sleep(0.01)

[DougieLawson]

You need to look at whether Pimoroni have a re-written version of their Unicornhat library that uses /dev/gpiomem rather than /dev/mem, as that will allow it to run without using sudo. Ask them nicely and they may re-write their code for you (as it will improve security for everyone).

Otherwise the safer way to do what you want is to run a small server (with root privileges) that runs the Unicornhat code and from the web server post client messages to the server to give it the instructions you need to do.

That's a job for roll-your-own (RYO) socket programming, python's httpserver library, MQTT, node.js or some other IoT protocol.

[jojopi]

www-data ALL=NOPASSWD: /home/pi/Pimoroni/unicornhat/

If you meant to allow all commands in that directory, you need a * after the final /.

However, you are actually running "sudo python ...", not "sudo /home/pi/Pimoroni/unicornhat/pooper.py", so the line should really be:

Code: Select all

www-data ALL=NOPASSWD: /usr/bin/python /home/pi/Pimoroni/unicornhat/*

It is okay to allow privilege escalation for very specific commands, and sudo will probably be more secure than any setuid wrapper or daemon you write yourself.

Certainly it would be better not to need root privilege at all, but I think the Unicorn HAT needs something more than simple GPIO access, and may not be amenable to /dev/gpiomem conversion.

[Obel]

www-data ALL=NOPASSWD: /home/pi/Pimoroni/unicornhat/

If you meant to allow all commands in that directory, you need a * after the final /.

However, you are actually running "sudo python ...", not "sudo /home/pi/Pimoroni/unicornhat/pooper.py", so the line should really be:

Code: Select all

www-data ALL=NOPASSWD: /usr/bin/python /home/pi/Pimoroni/unicornhat/*

It is okay to allow privilege escalation for very specific commands, and sudo will probably be more secure than any setuid wrapper or daemon you write yourself.

Certainly it would be better not to need root privilege at all, but I think the Unicorn HAT needs something more than simple GPIO access, and may not be amenable to /dev/gpiomem conversion.

I`ve add that line but still don`t work

Do I understand it correctly, I should be able execute any command there?

As a part of troubleshoot, insets of running python script I have add following command

Code: Select all

<html>
<head>
<meta charset="UTF-8" />
</head>


<?php
if (isset($_POST['ON']))
{
exec("sudo touch /home/pi/test");
}
if (isset($_POST['OFF']))
{
exec("here will be command which terminate the script");
}
?>
<form method="post">
<button name="ON">turn On</button>&nbsp;
<button name="OFF">turn Off</button><br>

</form>
</html>

But the test file is not created after pressing the button so I assume it is still something wrong with permissions?

[ghans]

No , the suggestion of jojopi was meant to prevent executing every other command.

Code: Select all

www-data ALL=NOPASSWD: /usr/bin/python /home/pi/Pimoroni/unicornhat/*

means that only the "/usr/bin/python" command is allowed to run without password. Allowing all commands to run without passwords would be stupid.

ghans