php exec(); can't reload httpd

[toeh101]

Sorry for my English.

When I try to reload httpd service through commandline interface directly, it works. But when I tried to reload service of named and httpd using php exec(), it doesn't works.

service named reload
service httpd reload

The service named is OK but httpd got problem.

My OS is CentOS 5.4 .


My script:

echo exec("service named reload"); result is " Reloading named: [OK] "

but

echo exec("service httpd reload"); result is " Reloading httpd: [FAILED] "


I tried to echo exec("whoami"); . I got "apache".
Then I edited /etc/sudoers.

root ALL=(ALL) NOPASSWD: ALL
apache ALL=(ALL) NOPASSWD: ALL
daemon ALL=(ALL) NOPASSWD: ALL
nobody ALL=(ALL) NOPASSWD: ALL

And I tried again.

echo exec("sudo service httpd reload"); ==> Not works.
echo exec("sudo /etc/init.d/httpd reload"); ==> Still not works.
echo exec("sudo -u root /etc/init.d/httpd reload"); ==> Not works.


Notice!
If "service httpd reload" without sudo, it doesn't works with message " Reloading httpd: [FAILED] " returned.
If I try "sudo service httpd reload", it doesn't works , no message returned.


How can I reload httpd through php exec() properly?
Thanks you.

[Schmidt]

It seems that SELinux does not allow you to perform it as 'apache' user even if /etc/sudoers allows it. Try to do 'setenforce 0' as root first, and then try to exec your php script again. If it helps, then you will have to do some "dark magic" with SELinux - just edit it policy

[Schmidt]

welll i dont think you can do those things inside of php process

of course, you can't edit SELinux policy from php script. It must be done directly in linux terminal, and you must have a root access to the system. Anyway, I think it could be a big security hole, if terminating processes are permitted from web-scripts, isn't it?...
And there is another idea came to me.. I suppose that you use php as apache module, it means that all scripts are performed inside of apache process. And just imagine - can a script be performed if it tries to kill the interpreter itself?...
are you know that it MUST work as you want, or you just find variants how to do something?.. Have you already seen that thing working on other machines?

[corysmith]

You should be able to make this work, as webmin has this capability. You might just look at their code to see how they do it.

I agree that giving elevating permission for the apache user is a huge security liability. Instead, try programming your web application so that admin users can authenticate to your web app, and use their credentials to reload the servers. (This is also probably how webmin works)

If you think selinux is blocking access, verify it is running in enforcing mode with:

Code:

sestatus

If it is running, you will see it as "enabled" and "enforcing". If it says disabled or permissive, selinux is not your problem.

If it is enabled and enforcing, you can check to see if it is causing your problem by generating a report:

Code:

sealert -a /var/log/audit/audit.log > ~/sealert_report