Centos

php 不允許我執行 shell_exec('git pull origin master 2>&1');

  • January 14, 2021

當我執行腳本<?php chdir('/var/www/html'); echo shell_exec('git pull origin master 2>&1'); ?>時,我收到錯誤消息:

error: cannot open .git/FETCH_HEAD: Permission denied

這是我所做的:

ssh apache@example.com
pwd # shows that I'm already at /var/www as my home directory
ls .ssh/ # shows that I have id_rsa and id_rsa.pub, and id_rsa.pub is given to github
cd html
git pull origin master # everything downloads perfectly
echo "<?php chdir('/var/www/html'); echo shell_exec('git pull origin master 2>&1'); " > pull.php

現在當我去http://example.com/pull.php我得到錯誤cannot open .git/FETCH_HEAD: Permission denied

為了確認我的權限,我以 root 身份登錄以執行chown -R apache:apache /var/www. 我的也有這個/etc/passwd

apache:x:48:48:Apache:/var/www:/bin/bash

我究竟做錯了什麼?

SELinux 不允許 Web 伺服器寫入隨機目錄。httpd_sys_rw_content_t您需要通過將預設上下文設置為然後設置任何現有文件的上下文來明確定義 SELinux 應該允許哪些目錄可寫。例如:

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www(/.*)?"
restorecon -rv /var/www

你幾乎肯定不應該讓整個網站都可以被 web 伺服器寫入,也不應該設置一個直接呼叫git. 這兩者都完全否定了您從 SELinux 獲得的任何安全優勢,而後者也有其自身的一組潛在問題。

引用自:https://serverfault.com/questions/1049739