rsync bash php

JCR · May 10, 2008, 3:08pm

Hello,
I have a bash script update.sh that contains

rsync --delete -avz -e ssh ${files} root@64.XX.XX.XX:/websites/red/

when I use that script ./update.sh as root, it works like a charm as I set up the private/public key properly.
When run from a php script through the apache webserver

<?php
exec("update.sh");
?>

The rsync line is ignored. What could I do to have that setup work?
Thank you

fabtagon · May 10, 2008, 3:58pm

apache runs php->bash->rsync as a different user => you must setup this user's ssh keys/dir.

BTW: Allowing root to connect over ssh is not recommended for security reasons. It is even less recommended to expose bash skripts, which do not check any environment variables, to the internet. It's an invitation for hackers and crackers.

JCR · May 10, 2008, 8:26pm

What would be the right way to create a key for the apache user? Thanks.

fabtagon · May 10, 2008, 8:41pm

i) because bash does not check i.e. environment variables calling bash from php is highly risky

ii) regarding keys: copy the keys from root's home to the home of the apache user and give apache user rights to read them. If someone takes over your apache he that way had root access to your remote backup machine (no difference to your current practice), which is not really what one wants. Better create a user on the backup machine with restricted rights which is more or less only allowed to write some files to one location and nothing more.

JCR · May 11, 2008, 8:08am

It is unclear to me what's the "home of the apache user". Is that the DocumentRoot as set in the httpd.conf file? should I copy the whole .ssh folder there?
Thank you for your help.

JCR · May 12, 2008, 3:18pm

I have tried to put the keys in Document Root directory, changing the permissions, but nothing has worked so far. Thanks in advance for any help.

fabtagon · May 13, 2008, 5:59am

home of the apache user:

i) find out as which user your apache processes are working. top or ps will be helpful

ii) find out that user's home directory. finger or a look into /etc/passwd will help

JCR · May 20, 2008, 1:34pm

The user is apache and finger apache returns
Login: apache Name: Apache
Directory: /var/www Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
I did:

cd /var/www
cp -R ~/.ssh ./
chown -R apache .ssh
chgrp -R apache .ssh

but apache is still unable to find those keys when calling the php script. I am using an apache virtual host and I copied that same .ssh folder to the DocumentRoot without better results.
Any idea?
Thank you

ripat · May 20, 2008, 2:56pm

On the target server you need to create also a ./var/www/.ssh/ directory that should contain the authorized_keys file in which you should add the user "apache" public key.

Instead of copying the root keys or any other key, I would rather create a new set of key with ssh-keygen command under apache user. Transfer the public key to the target server and add that key to the /var/www/.ssh/authorized_keys file.

JCR · May 20, 2008, 3:00pm

Thank you for the answer. How do I create a new set of keys with ssh-keygen under he apache user? Do I need to login as apache? I am not sure where to find the password.

ripat · May 20, 2008, 3:07pm

Login as root and:
# su apache

$ ssh-keygen -t rsa

Leave the pass phrase empty.