The Apache’s user www-data need to be granted privileges to execute certain applications using sudo.

1. Run the command sudo visudo. Actually we want to edit the file in etc/sudoers.To do that, by using sudo visudo in terminal ,it duplicate(temp) sudoers file to edit.
2. At the end of the file, add the following ex:-if we want to use command for restart smokeping and php command for another action in your question,

www-data ALL=NOPASSWD: /etc/init.d/smokeping/restart, usr/bin/php

(This is assuming that you wish to run restart and php commands using super user (root) privileges.And you use php command in usr/bin/ path )

However, if you wish to run every application using super user privileges, then add the following instead of what’s above.You might not want to do that, not for ALL commands, very dangerous.

www-data ALL=NOPASSWD: ALL

3.After edit the sudoers file(by visudo we edit the temp file of sudoers so save and quit temp file(visudo) to write in sudoers file.(wq!)

4.That’s it, now use exec() or shell_exec in the following manner inside your xxx.phpscript.keep remember to use sudo before the command use in the php script.

ex:-

exec ("sudo /etc/init.d/smokeping restart 2>&1");

or

shell_exec("sudo php -v"); 

So in your problem,add the commands that you wish to use in to the step no (2.) as I add and change your php script as what you want.

here is the same problem as yours https://stackoverflow.com/a/22953339/1862107

If you say it works on the terminal and not on apache then apache's php.ini file may be disabling the use of shell_exec().

See http://www.php.net/manual/en/ini.core.php#ini.disable-functions

Your apache's php.ini file may look something like

disable_functions=exec,passthru,shell_exec,system,proc_open,popen

Remove shell_exec from this list and restart the web server, although this is a security risk and I don't recommend it.

The question is a bit old, but for those who experience this problem can try to set the environment variables of direct on the server. PHP uses the putenv () function.

Example:// Set Variable Enviromental

$JAVA_HOME = "/usr/lib/jvm/java-8-oracle"; 
$ANDROID_HOME = "/opt/android-sdk-linux";
$PATH="$JAVA_HOME/bin:/usr/local/bin:/usr/bin:/bin:$ANDROID_HOME/platform-tools:$ANDROID_HOME/tools:$ANDROID_HOME/build-tools/24.0.0-preview";

putenv ("JAVA_HOME = $JAVA_HOME"); 
putenv ("PATH = $PATH");

There's multiple problems here.

1. Do people even read the error messages they get?
2. Don't use shell commands to read a file to a variable! Use fopen.
3. Don't do globbing. Globs are expanded by the shell, but PHP is not a shell, so it doesn't do globbing. It hands your exact command off to the shell, and asks the shell to execute it. And yes, *-release is a valid filename.

    [~]$ ls -la /tmp/\*-releases 
    -rw-r--r-- 1 vidarlo users 0 Jun 23 10:16 /tmp/*-releases
    [~]$ 

4. Globbing potentially opens you to attacks. If you glob, you have no control over what files you end up reading. That's a potential security issue. Probably not in this case, as you're reading from /etc, but...
5. You lack a basic understanding about your environment, when you expect that modifying a path parameter will change anything - the problem is not that cat command is not found, it's that the file you give as parameter is not found... A general understanding of the platform is a good starting point for programming.
6. putenv('/etc'); is not how putenv works. Environment variables are generally key=value-pairs.
7. Don't post it on serverfault. It's not about managing IT, it's purely about programming. Additionally, you should probably spend some time to learn the platform you're working on.

By the looks of it your PATH variable only includes /bin. This only allows you to run executables within that directory. There are a few ways to fix this.

Method 1: Configure the web server environment varibles

If you are running apache, you can simply edit /etc/apache2/envvars to include a PATH varibale definition. Edit the file and add a new line to the bottom (if it doesn't already exist):

# /etc/apache2/envvars
...

export PATH="/bin:/usr/local/bin"

Method 2: Configure the PATH for the user

Alternatively, if you are running the web server as a user other than a service user, that user may not have their PATH properly configured. This is as simple as changing their environment variables for the user and the web server will inherit it (unless defined otherwise in the web server's configuration).

First step is figure out which user your web server is running as. If you don't know, you can check list the running processes to find the user. This can be accomplished by running the following command:

ps aux|grep {webserver}|grep -v grep Where {webserver} is replaced with the web server you are currently running. (apache/httpd, nginx)

Alternatively, you can check in of the following config files:

• /etc/httpd/conf/httpd.conf - CentOS Apache
• /etc/apache2/apache2.conf - Ubuntu/Debian Apache
• /etc/nginx/nginx.conf - nginx config

(There are many other possible configurations, but these are the most common)

Once you've found out which user you're running as, you will need to then set the PATH variable for that user. This could be as simple as exporting the PATH in their home bash configuration. This could be /home/bob/.bashrc for example. Service users without a home will be different however.

Method 3: Declare the PATH within your PHP script

You can manually specify the PATH variable within your PHP script. This can be accomplished by adding the following line to your script:

<?php

putenv('PATH=/bin:/usr/local/bin');
...

You will need to change the PATH to suit your needs, and it will need to be declared before you call shell_exec().

This method isn't preferred as you will need to specify this for each PHP script you execute that makes use of the shell_exec() call to binaries outside of /bin, but it is a quick one off solution that will work.

More importantly, you are writing code that is not portable and is dependent on a specific system. This is bad coding practice and is not recommended/frowned upon.

On the php manual for shell_exec, it shows that the function returns the output as a string. If you expect output from the program you launch, you need to capture this like so:

$execQuery = "echo -n test_command";
$output = shell_exec($execQuery);
echo $output;

Your question doesn't show trying to capture any data. If you also make sure to connect stdout and stderr when you run your command, you should get a better idea is what is going on. To use your example:

$output = shell_exec("/usr/bin/oneuser create test10 test10 2>&1");
var_dump($output);

That should help you see what is going on. As Shadur suggests, it seems likely that these programs expect an interactive terminal that can enter passwords in order to run. Even if don't need input, they might expect interactive shells. And he's right that su doesn't play nice in this context. There is, however, a correct tool for the job.

You can setup sudo to such that your http user can execute your program as username without a password but NOT be able to do anything else by running visudo or whatever you use to edit your sudoers file and adding this line:

http    ALL=(username) /usr/bin/oneadmin

Then in php your command would look something like this:

$execQuery = "sudo -u username /usr/bin/oneadmin postgres -c '/usr/bin/oneuser create test10 test10'";
$out = shell_exec ("$execQuery 2>&1");
echo $out

I've tested your code and in my server it works correctly. It gives the following output:

Output: apps awstats cgi-bin clients conf error html icons ispconfig manual mauco.org med-01.uc.cl php-fcgi-scripts usage

That are the folders in /var/www

I think you may have a privileges issue. What happens if you try with this command:

  $output = shell_exec("ls /tmp");

You can also check if what user is being used by apache/nginx

 $output = shell_exec("whoami");

Please include screenshots of your results.

1) Check the security setup

Can shell_exec() be run or not? If it can't then it's because you are having some security settings enabled.

The problem is that shell_exec() and exec() can be disabled for security reasons. This can be changed by editing PHP's disable_functions option.

INI settings are usually stored in specific *.ini files under the /etc/php/* directories. So you have to look for some settings in there. You’ll find several INI settings, depending on how PHP is run. To find them :

find /etc/php/ -iname 'php.ini'

This could output something like this :

/etc/php/8.2/fpm/php.ini
/etc/php/8.2/apache2/php.ini
/etc/php/8.2/cli/php.ini
/etc/php/8.2/cgi/php.ini

To see the settings and which INI file is loaded, add this at the beginning of your script and call it via your web server :

phpinfo();
die();

You'll see all the loaded INI files and what is set on the disable_functions option.

/etc/php/8.2/cli/php.ini is probably setting disable_functions to an empty string, meaning that in command line there's no restriction. But for the other INI files, this option might contain a list of functions that you won't be able to run. Edit this option if needed. But be always aware that giving your server the ability to run some binaries can lead to some security issues if your app is taking some user input to build the command.

Apache configuration can also set some PHP settings, just for a specific Virtual Host. So have a look at them if you can't find something in the php.ini files.

Depending on your PHP setup, you may also have to check safe_mode and suhosin.executor.* if you have the Suhosin hardening module installed.

2) Verify that you can run shell_exec

There are several ways to run a binary. shell_exec is equivalent to the built-in backtick operator. So if shell_exec is listed in the disable_functions option then you won't be able to use the backtick operator.

If you get an error 500 then it's typically because you cannot run shell_exec. If you check /var/log/nginx/error.log or /var/log/apache2/error.log with this command :

sudo tail -f /var/log/{apache2,nginx}/error.log

It will print both logs until you press CTRL+C. You may see this error :

PHP Fatal error:  Uncaught Error: Call to undefined function shell_exec()

PHP also offers exec(), passthru(), system(), and the proc_*() functions. So you've got several possibilities to try and run your command.

Have a try with a simple PHP code :

<?php

header('Content-Type: text/plain; charset=utf-8');

echo 'PHP user given with the "id" command: ' . `id`; // equivalent to shell_exec('id');
echo 'System date is ' . `date --iso-8601=seconds`;

This should output RAW text in your browser with :

PHP user given with the "id" command: uid=33(www-data) gid=33(www-data) groups=33(www-data)
System date is 2023-09-29T11:50:28+00:00

3) Use a full path to the binary

When shell_exec() is run from the web server, it's rather common that the binary isn't found in the PATH. Usually, the www-data user running PHP won't even have a shell. But this user can normally run some binaries, except if some settings at point 1 is blocking it.

To find the full path to a binary, use the which command :

which wkhtmltopdf

This should output the full path to the binary. Certainly something such as /usr/bin/wkhtmltopdf.

Now replace your PHP code with the full path to the binary:

header('Content-Type: text/plain; charset=utf-8');
echo shell_exec('/usr/bin/wkhtmltopdf --version');

Does it print wkhtmltopdf 0.12.6 like expected?

If no, then we have to investigate more at the next point.

4) Get the execution output and find errors

This can be done with the help of exec(), passthru() or system() as they all return the execution status code.

With the proposition of Volkerschulz, we'll also redirect the standard error stream to the standard output stream so that we can see some details that may have only be printed to the error stream.

This is done by redirecting stderr (2) into stdout (1) by adding 2>&1 after your command.
Just as info, stdin is 0.

In PHP, this becomes :

<?php

header('Content-Type: text/plain; charset=utf-8');

$command = '/usr/bin/wkhtmltopdf --wrong-option 2>&1';

$last_line = exec(
  $command,    // The command to execute.
  $output,     // A variable that will be filled with an array of all the lines returned.
  $result_code // The return status of the executed command.
);

var_export([
  '$command' => $command,
  '$output' => $output,
  '$last_line' => $last_line,
  '$result_code' => $result_code,
]);

This outputs :

array (
  '$command' => '/usr/bin/wkhtmltopdf --wrong-option 2>&1',
  '$output' => 
  array (
    0 => 'Unknown long argument --wrong-option',
    1 => '',
    2 => 'Name:',
    3 => '  wkhtmltopdf 0.12.6',
    ...
    ...
    95 => '',
  ),
  '$last_line' => '',
  '$result_code' => 1,
)

Now I'm able to see that I got a $result_code of 1 instead of 0.

In case the executable is having other errors, you'll see them in the $output array as the stderr stream should be visible. This should help you find how to fix the issue. Probably some other security problems due to the fact the www-data user might be missing some rights, paths or whatever.

PS: On my Vagrant box of Ubuntu 22.04, I managed to run wkhtmltopdf without errors on both Apache and NGINX.

Don't forget also that your www-data user should have write access to the destination folder where you are producing the PDF file.

5) Try re-installing wkhtmltopdf and/or use a PHP wrapper

You might have to re-install wkhtmltopdf if it's not properly working :

sudo apt remove wkhtmltopdf
sudo apt autoremove
sudo apt install wkhtmltopdf

You can also try using a PHP wrapper library for wkhtmltopdf called Snappy. It might be useful.

6) Switch to an alternative in pure PHP if necessary

Perhaps you won't manage to make wkhtmltopdf work that easily. It's a pity as it's effectively a fast and reliable solution.

But to create a PDF from HTML you could also use the Dompdf PHP library. I've used it in the past and was happy with it.

Your program can't find clustalw2 because clustalw2 isn't in the $PATH.

In your case, the easiest solution is to replace clustalw2 with the full path, /srv/http/Clustalw/clustalw2 as the first parameter to shell_exec.