[nycphp-talk] Can't do PHP 'exec' for an rsync command via web server
David Roth
davidalanroth at gmail.com
Mon Jun 25 00:57:01 EDT 2012
I'm happy to report this is working now!
To recap the adventure for those of you who arrived late...:-)
CentOS 6.2. as shipped with PHP 5.3.3. Out of the box I couldn't execute a
PHP function (exec or system) to do an rsync with a remote host. The reason
was that Apache runs as user apache and doesn't have access to the /root's
ssh keys. This was causing an error code of 255 to be returned and no
output. A very puzzling and annoying situation as you can well imagine,
especially when the thing worked perfectly using PHP on the command line.
The fix was to bring apache into the *family*, and make it a regular user
on the system and gave it a home. Well, almost a regular user, no password
is set so the only way to login to it is through root using 'su'. Logging
into apache was needed to generate the ssh keys which were exchanged with
the remote host. It was very wise of Hans to also recommend to create
/home/apache instead of using the default /var/www because a nasty user
could have easily accessed the .ssh directory there and gotten the
public/private keys, and the known hosts.
Now that apache has its own home, the Tax Assessor will be by Monday to
start collecting property taxes. :-)
Thanks to everyone who e-mailed me and especially Hans!
David Roth
On Sun, Jun 24, 2012 at 8:25 PM, Hans Zaunere <zaunere at gmail.com> wrote:
> > # grep apache /etc/passwd
> > apache:x:48:48:Apache:/var/www:/sbin/nologin
> >
> > You suggesting I change apache to just another user, like this?
> > apache:x:48:48:Apache:/var/www:/bin/bash
>
> Yes, though I'd make its own home directory, /home/apache, and give
> appropriate rights as needed to the doc root.
>
> > Maybe generate apache's own set of ssh keys to access the remote server
> > for rsync?
>
> Yeah - just cleanse your input well :)
>
> H
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120625/2357adc3/attachment.html>
More information about the talk
mailing list