search

Home  >  Q&A  >  body text

PHP cannot access RNDC

I am editing the zone file /var/named/rpz.local and need to reload rndc after executing this command:

cd /var/named
rndc reload rpz.local

Everything is fine using the cli as root, but the problem is that I cannot run /usr/sbin/rndc through nginx (PHP). So can you give me a clue?

I can run this:

$Output = shell_exec("uptime");
print($Output);

But if I run this command, the output will be empty: system('rndc reload'); or shell_exec('rndc related'); It seems I can't access rndc because I can't even run: rndc status But if I run this:

system(`uptime`); // Sun Aug 20 22:36:51 +0330 2023
$Test = shell_exec(`rndc status`); // return nothing
print($Test);
system('uptime');//  00:28:03 up 18 days, 10:47,  2 users,  load average: 0.00, 0.02, 0.05

I have the result of uptime and uptime command. But there is nothing f or shell_exec('rndc reload'). I also did below command but it didn't work:

setfacl -m u:nginx:rwx rpz.local
setfacl -m u:nginx:rwx /usr/sbin/rndc

P粉794851975P粉794851975266 days ago370

reply all(2)I'll reply

  • P粉545956597

    P粉5459565972024-02-22 00:36:26

    If you have PHP running as root in Nginx, you have one serious problem and then some.

    Please consult your operations manual to understand the role of the root user and its purpose. Then manage the system accordingly.

    Or in short: just because you can do something as root, doesn't mean you should do it from within PHP. Learn why. real. honestly.

    If not, please contact the responsible system administrator who knows your operating system and clarify the requirements in person.

    reply
    0
  • P粉463291248

    P粉4632912482024-02-22 00:06:56

    problem solved. how? When trying to run the rndc command I get NULL . As mentioned in this article I changed the command to:

    $Test = shell_exec(`rndc reload rpz.local 2>&1`); // return permission denied for rndc.key file
    print($Test);

    So I did it:

    setfacl -m u:nginx:rwx /etc/rndc.key

    The problem is solved.

    Thank you very much dear@hake

    P.S As @hake mentioned, it is wrong for us to run nginx as sudoer or add nginx to sudoer group, so don't make the mistake, although debugging is ok and testing (no more than 1-2 hours).

    reply
    0
  • Cancelreply