php调用shell脚本安全,从PHP调用的shell脚本问题

TLDR;

我有一个shell脚本,从命令行运行时工作正常,但如果从PHP脚本中调用(通过Web访问)则不行.

在这两种情况下,主叫用户都是www-data.

线路失败是这样的:

openssl genrsa -des3 -out certs/$PCODE.key -passout env:PASSPHRASE 2048

为什么会这样?我该怎么调试呢?

全文

我有以下脚本,它是this gist的略微修改版本,用于生成自签名SSL证书.

当我从终端运行它作为www-data时,它可以正常工作并生成密钥文件,CSR和SSL证书文件.但是当我从PHP脚本中调用脚本时,它会输出错误并且不会生成任何文件.是什么导致失败?我该怎么调试呢?

从终端:

me@machine$sudo su www-data

www-data@machine$./gencert.sh acme

www-data will generate an SSL cert for acme.dev

Command after line 32 executed oK

Passphrase expoted as I7gOnWxWd0hOk38Zu ... FbxL3K3Rzlv

Generating RSA private key, 2048 bit long modulus

..............................................+++

.................+++

e is 65537 (0x10001)

Command after line 49 executed oK

Command after line 54 executed oK

Command after line 65 executed oK

writing RSA key

Command after line 69 executed oK

Signature ok

subject=/C=IR/ST=Alborz/.../emailAddress=noreply@acme.dev

Getting Private key

Command after line 74 executed oK

产生的文件:

> certs / acme.key.org

> certs / acme.key

> certs / acme.csr

> certs / acme.crt

来自PHP:

$r = `/var/www/testbench/pm/shell/gencert.sh acme`;

echo $r;

没有生成文件,输出如下:

www-data will generate an SSL cert for acme.dev

Command after line 32 executed oK

Passphrase expoted as 1Fd1seZoe2XF ... oSmQFJdVpdwOeTo2CK5VjLxp

Error. Return value = 1 after line 49

返回1的行是这样的:

openssl genrsa -des3 -out certs / $PCODE.key -passout env:PASSPHRASE 2048

这是修改后的shell脚本:

#!/bin/bash

# Bash shell script for generating self-signed certs. Run this in a folder, as it

# generates a few files. Large portions of this script were taken from the

# following artcile:

#

# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html

# https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

# Additional alterations by: Brad Landers

# Date: 2012-01-27

# Script accepts a single argument, the fqdn for the cert

PCODE="$1"

if [ -z "$PCODE" ]; then

echo "Usage: $(basename $0) "

exit 11

fi

THE_USER="$(whoami)"

echo "$THE_USER will generate an SSL cert for $PCODE.dev"

fail_if_error() {

[ $1 != 0 ] && {

echo -n "Error. Return value = $1 after line $LASTLINE"

unset PASSPHRASE

exit 10

}

echo "Command after line $LASTLINE executed oK"

}

# Generate a passphrase

LASTLINE="${LINENO}"

export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo)

fail_if_error $?

echo -n "Passphrase expoted as "

printenv PASSPHRASE

# Certificate details; replace items in angle brackets with your own info

subj="

C=IR

ST=Alborz

O=ACME

localityName=Karaj

commonName=*.$PCODE.dev

organizationalUnitName=WebAdmin

emailAddress=noreply@$PCODE.dev

"

LASTLINE="${LINENO}"

# Generate the server private key

openssl genrsa -des3 -out certs/$PCODE.key -passout env:PASSPHRASE 2048

fail_if_error $?

LASTLINE="${LINENO}"

# Generate the CSR

openssl req \

-new \

-batch \

-subj "$(echo -n "$subj" | tr "\n" "/")" \

-key certs/$PCODE.key \

-out certs/$PCODE.csr \

-passin env:PASSPHRASE

fail_if_error $?

LASTLINE="${LINENO}"

cp certs/$PCODE.key certs/$PCODE.key.org

fail_if_error $?

LASTLINE="${LINENO}"

# Strip the password so we don't have to type it every time we restart Apache

openssl rsa -in certs/$PCODE.key.org -out certs/$PCODE.key -passin env:PASSPHRASE

fail_if_error $?

LASTLINE="${LINENO}"

# Generate the cert (good for 10 years)

openssl x509 -req -days 3650 -in certs/$PCODE.csr -signkey certs/$PCODE.key -out certs/$PCODE.crt

fail_if_error $?

解决方法:

要执行的命令具有相对路径,例如:certs / $PCODE.key.当您执行命令时(在这种情况下通过反引号操作符),路径相对于PHP进程的当前工作目录进行扩展.这很少(如果有的话)与命令shell使用的路径相同.

要调试这个,你可以使用strace扩展你的实际命令,例如:strace openssl ….这将为你提供相当大的诊断功能,接近最后,你会看到EPERM的内容.

要解决此问题,您可以在PHP中使用chdir来设置当前工作目录,也可以在脚本中使用cd,或者您的脚本可以使用绝对路径.我更喜欢后者.

标签:php,shell,command-line,sh

来源: https://codeday.me/bug/20190627/1305955.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值