The Problem
I have a PHP script that uses shell_exec to run a pdf-to-text converter. To simplify the problem I've created a short script that uses shell_exec to just echo the output of the dir command.
<?php
$cmd = 'C:\\WINDOWS\\system32\\cmd.exe /c ';
echo shell_exec($cmd.' dir');
?>
When I run this on my Apache server, everything works as expected. When I switch to IIS, it's as though the line is skipped entirely: no errors, no output, no logs, no nothing.
Unfortunately, I need to use IIS because I'm going to authenticate my users against active directory.
Here's what I've tried so far:
- Issue the command through
cmd.exe /crather than issuing it directly - Give
Read & Executepermission toSERVICEon "C:\WINDOWS\system32\cmd.exe" - Give
Read & Executepermission toNETWORK SERVICEon "C:\WINDOWS\system32\cmd.exe" - Give
Read & Executepermission toIUSR_MACHINENAMEon "C:\WINDOWS\system32\cmd.exe" - Give
Read & Executepermission toEveryoneon "C:\WINDOWS\system32\cmd.exe" (don't worry, it didn't stay like that for long, haha) - Run PHP as an ASAPI module
- This is my standard configuration
- Run PHP as a CGI extention
- This does not work, I get an error:
CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers.
- This does not work, I get an error:
- In IIS Manager, set
Execute PermissionstoScripts and Executableson your website - Added html markup and other php functions to script to see if that gets processed; it does. It's as if the
shell_execbit just gets skipped.
Thank you so much for looking at this question, I am now pulling my hair out with the problem
Cheers, Iain
Update 1
I really didn't want to do this, but as a stop gap until I find a proper solution I'm running Apache on the web server (which runs shell_exec fine) and I call my apache script via cURL. It's ugly, but it works :).
Update 2
I'm beginning to think this isn't so much an issue with IIS or permissions as such, but perhaps a result of some policy we have on our network - although I can't imagine what. Any ideas from left of field?
Below is a more systematic way to determine which user needs to be granted permission
Confirm that you have the following executables in C:\WINDOWS\SYSTEM32 (or more generically %systemroot%\system32)
cmd.exe
whoami.exe
Check the current ACL for these executables
c:\windows\system32> cacls cmd.exe
c:\windows\system32> cacls whoami.exe
If the user "Everyone" is not granted Read (R) access, then TEMPORARILY grant as follows
c:\windows\system32> cacls cmd.exe /E /G everyone:R
c:\windows\system32> cacls whoami.exe /E /G everyone:R
Create whoami.php with the following content
<?php
$output = shell_exec("whoami");
echo "<pre>$output</pre>";
?>
Load whoami.php on a web browser and note the username displayed e.g. in my case it showed
ct29296\iusr_template
Revoke "Everyone's" permission if it had to be added in above steps
c:\windows\system32> cacls cmd.exe /E /R everyone
c:\windows\system32> cacls whoami.exe /E /R everyone
Grant only the username found in step 5 with the Read+Execute permission (R) to cmd.exe
c:\windows\system32> cacls cmd.exe /E /G ct29296\iusr_template:R
Remember to use the correct username for your own system.
See: http://www.myfaqbase.com/index.php?q=php+shell_exec&ul=0&show=f
Here's a few points:
- Regarding PHP skipping the
shell_execfunction, make sure that PHP is not running in safe mode. From the PHP manual - on the shell_exe page:
Note: This function is disabled when PHP is running in safe mode.
It also appears that this is quite a known problem with executing shell commands from PHP in Windows. The consensus seems to be that the best way to get it to work is to have PHP running in FastCGI mode (I know you tried this already and said you couldn't get it to work - hence my second point). You may find this Microsoft IIS Forum thread helpful.
- Now, as far as having to run PHP on Windows in order to authenticate against Active Directory - you don't have to!
Apache provides LDAP authentication via the mod_auth_ldap. And PHP provides LDAP support through the following functions:
Active Directory is an implementation of LDAP. So, you with any LDAP client you can perform authentication against Active Directory.
P.S. You can either use the Apache mod_auth_ldap, or the PHP LDAP functions - you don't need to use both at the same time to make this work. The Apache mod_auth_ldap works at the HTTP protocol level, whereas the PHP LDAP Functions give you more control over the authentication and authorization process.
couple of notes
if you want to execute a .exe directly, you can use proc_open() with $other_options=array('bypass_shell'=>TRUE)
also procmon.exe (sysinternals) is you best friend when digging into this class of problem
I'd say Read & Execute permission to the User thats running IIS (if thats not IUSR_MACHINENAME)
Unfortunately, I need to use IIS because I'm going to authenticate my users against active directory.
The premise for basing your application on IIS is flawed. There's nothing to stop you doing this with Apache. Indeed, you don't even need to run it on a MS-Windows OS.
Have a google for how to set up all this up.
Note that with IIS and local clients potentially using NTLM, the security policy gets thrown out of the window. The IIS handler thread may run with the credentials of a NTLM MSIE client. Or not. Debugging this stuff will drive you mad!
C.
I added the user NETWORK SERVICE with READ & EXECUTE, READ to the directories where the executables of my application resides. Since this alteration, the problem is gone. Nevertheless, it's also neccessary to grant the permissions READ & EXECUTE, READ for IUSR_ to cmd.exe.
The solution I got from here http://forums.iis.net/t/1147892.aspx
来源:https://stackoverflow.com/questions/2294034/how-to-get-shell-exec-to-run-on-iis-6-0