PHP cannot access RNDC

Question

I am editing the zone file /var/named/rpz.local and need to reload rndc after executing this command:

cd /var/named
rndc reload rpz.local

Everything is fine using the cli as root, but the problem is that I cannot run /usr/sbin/rndc through nginx (PHP). So can you give me a clue?

I can run this:

$Output = shell_exec("uptime");
print($Output);

But if I run this command, the output will be empty: system('rndc reload'); or shell_exec('rndc related'); It seems I can't access rndc because I can't even run: rndc status But if I run this:

system(`uptime`); // Sun Aug 20 22:36:51 +0330 2023
$Test = shell_exec(`rndc status`); // return nothing
print($Test);
system('uptime');//  00:28:03 up 18 days, 10:47,  2 users,  load average: 0.00, 0.02, 0.05

I have the result of uptime and uptime command. But there is nothing f or shell_exec('rndc reload'). I also did below command but it didn't work:

setfacl -m u:nginx:rwx rpz.local
setfacl -m u:nginx:rwx /usr/sbin/rndc

Answer 1

If you have PHP running as root in Nginx, you have one serious problem and then some.

Please consult your operations manual to understand the role of the root user and its purpose. Then manage the system accordingly.

Or in short: just because you can do something as root, doesn't mean you should do it from within PHP. Learn why. real. honestly.

If not, please contact the responsible system administrator who knows your operating system and clarify the requirements in person.

Answer 2

problem solved. how? When trying to run the rndc command I get NULL . As mentioned in this article I changed the command to:

$Test = shell_exec(`rndc reload rpz.local 2>&1`); // return permission denied for rndc.key file
print($Test);

So I did it:

setfacl -m u:nginx:rwx /etc/rndc.key

The problem is solved.

Thank you very much dear@hake

P.S As @hake mentioned, it is wrong for us to run nginx as sudoer or add nginx to sudoer group, so don't make the mistake, although debugging is ok and testing (no more than 1-2 hours).