[Mailman-Users] can't call command line functions from php

Lindsay Haisley fmouse-mailman at fmp.com
Mon Sep 18 22:41:00 CEST 2006 

Thus spake Anne Ramey on Mon, Sep 18, 2006 at 03:06:37PM CDT
> 
> 
> Dragon wrote:
> > Anne Ramey wrote:
> >> I have my php script running as a user in the mailman group, but when I
> >> try to do:
> >>    //add user to Admin email list
> >>    $command = "/usr/local/mailman/bin/add_members -r ".$Filename." 
> >> admins";
> >>    system($command, $status);
> >>
> >> I get a status of 1 returned to me and it doesn't add the users.  I've
> >> tried:
> >>    shell_exec($command);
> >> as well but it didn't work either.  I can successfully call these
> >> functions from my old perl scripts, so I don't think it's a permissions
> >> issue.

A better look at the permissions issue here would be helpful, since that's the 
first thing one ought to eliminate.  I guess that we can assume you're running 
this on a 'nix-like OS since you mention permissions.  Make sure that 
/usr/local/mailman/bin/add_members has either world read and execute 
permissions, or group read and execute permissions (dicey from a security 
standpoint) or that the web server user is a member of group "mailman" (or 
whatever group your mailman is installed as) and that group read and execute 
permissions are turned on.  

If permissions are an issue, there may be other mailman components called into 
the process by add_members which may also need permissions adjusted.  If I run 
system executables from a web page using PHP I generally do so via a compiled 
setuid wrapper script which allows execution of the system command as a 
priveleged user, or in your case as the mailman user.  This avoids all such 
problems.  My wrapper program is written in C and has a bunch of security 
checks built into it, and you can obfusticate it in a number of ways so that 
it's pretty well inaccessable to a would-be troublemaker.

Another possible tool here would be to use passthru() instead of system() which 
will allow any output from $command to be displayed.  Another might be to set 
$command to point to a shell script which will run add_members, which will 
allow you to redirect stdout and stderr appropriately.

> >> I think I must be missing something in the php.  This may be a
> >> little out of the scope of this list, but any help would be appreciated.
> > ---------------- End original message. ---------------------
> >
> > This is slightly off-topic but I am sure there are other users out 
> > there who also use PHP for web scripting to interface to mailman (I do 
> > on my system, I am far more comfortable with it than Python).
> >
> > This sounds like PHP is being run in safe mode and the scripts you are 
> > trying to run are not allowed under the permitted safe-mode commands. 
> > Safe mode is often enabled by ISPs running servers that host virtual 
> > domains to prevent users from doing malicious and/or negligent things 
> > that can damage the file hierarchy or compromise sensitive system 
> > information. Chapter 9 of the PHP manual describes safe mode and how 
> > it works.
> >
> > If you have error reporting to the browser turned off, you will need 
> > to look in the HTTP server error log to see if PHP is complaining 
> > about something. You might have to boost the error-reporting level in 
> > your PHP script using the error_reporting function in your script to 
> > get the level of detail you need.
> >
> > Dragon
> >
> My safe_mode is Off.  There are no errors in my http log and none output 
> to the screen.  I can run other commands with system and 
> shell_exec...just not any mailman commands.
> 
> Anne
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-users/fmouse-mailman%40fmp.com
> 
> Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

-- 
Lindsay Haisley       | "Fighting against human |     PGP public key
FMP Computer Services |    creativity is like   |      available at
512-259-1190          |    trying to eradicate  | <http://pubkeys.fmp.com>
http://www.fmp.com    |        dandelions"      |
                      |      (Pamela Jones)     |

More information about the Mailman-Users mailing list