Join Log in
Score:1
kbu avatar Server

Can't change linux user password with php script

ng flag
kbu

I have the following php script for password change: <?php error_reporting(E_ALL); ini_set('display_errors', TRUE); ini_set('display_startup_errors', TRUE); ini_set('display_error', true);

$cmd = 'sudo -u root sh -c \'/usr/bin/echo "username:pass" | sudo /usr/sbin/chpasswd 2>&1\'';
exec($cmd,$output,$return_val);
print_r($output);
echo $return_val;
?>

This script show error in browser:

pam_chauthtok() failed, error: [1] => Authentication token lock busy [2] => chpasswd

But the command

sudo -u root sh -c '/usr/bin/echo "username:pass" | sudo /usr/sbin/chpasswd 2>&1'

work fine. Can please someone give me a tip, why I get in browser the error above?

Filesystem is in rw mode. Files /etc/{passwd,shadow} have a correct permissions

Thank you in advance

100
2 + 5
Michael Hampton avatar
cz flag
Michael Hampton
How do you run PHP?
0
Reply
kbu avatar
ng flag
kbu
Php run with php-fpm
0
Reply
vn flag
ceejayoz
You... probably should not do this.
1
Reply
kbu avatar
ng flag
kbu
I know what you mean. Client needed a solution. I found the solution and warned about the upcoming problems with security
0
Reply
kbu avatar
ng flag
kbu
And the problem was exactly there, because strace showed that the filesystem is in read-only mode
0
Reply
Score:1
kbu avatar Server
ng flag
kbu

The solution was to comment out ProtectSystem=full in php-fpm.service unit:

# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
#ProtectSystem=full
0 + 1
Michael Hampton avatar
cz flag
Michael Hampton
You may change this to `true` instead, which will allow writing to `/etc` but still prohibit writing to the other named directories.
0
Reply
Score:0
Ajay Singh avatar Server
us flag
Ajay Singh

Browser php runs using www-data user

Add permissions for www-data to use sudo through shell using visudo command and append this line

www-data   ALL=(ALL:ALL) ALL

Its' syntax is

user    hosts=(users:groups)    commands
0 + 6
kbu avatar
ng flag
kbu
sorry forgot to mention here: I gave already sudo privileges. For testing I have the following line: nginx ALL=(ALL) NOPASSWD: ALL. But that did not help.
0
Reply
us flag
Tero Kilkanen
The `sudo` access should be limited to only the commands that are needed.
0
Reply
Ajay Singh avatar
us flag
Ajay Singh
Have you tried the same with www-data instead of nginx?
0
Reply
kbu avatar
ng flag
kbu
www-data user does not exist
0
Reply
Ajay Singh avatar
us flag
Ajay Singh
Okay. Which OS are you using? Have you verified if <?php echo exec('whoami'); ?> on browser returns nginx?
0
Reply
kbu avatar
ng flag
kbu
OpenSUSE 15.2. Yes, exec(...whoami...ls....ping...cat...) work everything
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.