Score:1

Can't change linux user password with php script

ng flag
kbu

I have the following php script for password change: <?php error_reporting(E_ALL); ini_set('display_errors', TRUE); ini_set('display_startup_errors', TRUE); ini_set('display_error', true);

$cmd = 'sudo -u root sh -c \'/usr/bin/echo "username:pass" | sudo /usr/sbin/chpasswd 2>&1\'';
exec($cmd,$output,$return_val);
print_r($output);
echo $return_val;
?>

This script show error in browser:

pam_chauthtok() failed, error: [1] => Authentication token lock busy [2] => chpasswd

But the command

sudo -u root sh -c '/usr/bin/echo "username:pass" | sudo /usr/sbin/chpasswd 2>&1'

work fine. Can please someone give me a tip, why I get in browser the error above?

Filesystem is in rw mode. Files /etc/{passwd,shadow} have a correct permissions

Thank you in advance

Michael Hampton avatar
cz flag
How do you run PHP?
kbu avatar
ng flag
kbu
Php run with php-fpm
vn flag
You... probably should not do this.
kbu avatar
ng flag
kbu
I know what you mean. Client needed a solution. I found the solution and warned about the upcoming problems with security
kbu avatar
ng flag
kbu
And the problem was exactly there, because strace showed that the filesystem is in read-only mode
Score:1
ng flag
kbu

The solution was to comment out ProtectSystem=full in php-fpm.service unit:

# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
#ProtectSystem=full
Michael Hampton avatar
cz flag
You may change this to `true` instead, which will allow writing to `/etc` but still prohibit writing to the other named directories.
Score:0
us flag

Browser php runs using www-data user

Add permissions for www-data to use sudo through shell using visudo command and append this line

www-data   ALL=(ALL:ALL) ALL

Its' syntax is

user    hosts=(users:groups)    commands
kbu avatar
ng flag
kbu
sorry forgot to mention here: I gave already sudo privileges. For testing I have the following line: nginx ALL=(ALL) NOPASSWD: ALL. But that did not help.
us flag
The `sudo` access should be limited to only the commands that are needed.
Ajay Singh avatar
us flag
Have you tried the same with www-data instead of nginx?
kbu avatar
ng flag
kbu
www-data user does not exist
Ajay Singh avatar
us flag
Okay. Which OS are you using? Have you verified if <?php echo exec('whoami'); ?> on browser returns nginx?
kbu avatar
ng flag
kbu
OpenSUSE 15.2. Yes, exec(...whoami...ls....ping...cat...) work everything

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.