"su _www helloworld.php" does nothing
In the context of a larger effort, I've run across a particular issue that is baffling me.
On Mac OS X 10.6.7, using the system provided Apache and PHP, I have created a simple HelloWorld.php
script that, no surprise, just prints Hello, World!
and nothing else.
Works fine if I execute it as php helloworld.php
.
However, if I:
sudo su
su _www php helloworld.php
It emits nothing; php
returns pretty much immediately with no signs of execution.
Where have I gone off the rails (and, more importantly, what diagnostic information should I be gathering to help deduce the issue)?
No dice.
bash-3.2$ls -alF foo.php
-rw-r--r-- 1 _www _www 37 Apr 4 21:08 foo.php
bash-3.2$ ls -dalF .
drwxr-xr-x 56 _www _www 1904 Apr 4 21:08 ./
bash-3.2$ whoami
bbum
bash-3.2$ php foo.php
Hello, World!
bash-3.2$ sudo sh
sh-3.2# php foo.php
Hello, World!
sh-3.2# su _www php foo.php
sh-3.2#
If I copy foo.php
to my Webserver's documents root, it works. As it does in my user's docroot; it executes via the webserver just fine, regardless of location.
Even su _www php -v
fails to spew anything. Something fishy here.
Derp. The _www user is just busted; no shell. Screws up even the simplest of commands when attempted from the shell.
Solution 1:
This is very similar to my question "Run cgi-script on commandline as user www?" (FreeBSD).
Here's the problem: The user '_www' has a shell set to /usr/bin/false
. According to the manpage "The false utility always exits with a nonzero exit code." su _www
will always fail, by design.
This is done for security reasons. If anyone were able to successfully run a remote exploit against _www, which the account which is used to run your web applications, then they will encounter a shell which immediately exits. If this shell were left to be something like /bin/sh
, then the _www user would be able to run many commands on the commandline, and that would be bad for security. So therefore, it is set to /usr/bin/false
to limit the damage caused by any compromises on your webserver. It is unwise to disable this.
However, setting the _www shell to /usr/bin/false
also means that the user '_www' is unable to execute commands on the commandline. Even a simple command like whoami
will fail:
# su _www whoami
# echo $?
1
The solution is too use sudo
, not su
. This simple example shows that I can now execute simple commands, as user '_www':
# sudo -u _www id
uid=70(_www) gid=70(_www) groups=70(_www)
You will also need to make sure that the user _www is able to read the file. But if you are able to execute this file using Apache webserver, then the permissions are already correct.
Solution 2:
the first thing to look at is the permissions on the file. In general, web files should be owned by the Apache user.
try chown _www:_www helloworld.php
then try running php as the _www user.