PhpDig.net - View Single Post

Charter · 11-15-2004, 06:57 AM

http://fr.php.net/manual/fr/ref.exec.php
http://bugs.php.net/bug.php?id=29001

Note on XP users: XP-Home edition does not allow to set rights directly on files and folders. You should use cacls command-line utility to do this.

For example:

cacls c:\windows\system32\cmd.exe /E /G IUSR_ADMIN2003:F

gives IIS user full access to cmd.exe (potential security hole!), so PHP can fork and execute external programs.

__________________

MORE ON THE UNABLE TO FORK MESSAGES IN WINDOWS:

I would like to confirm that this issue relates to permissions on %SYSTEMROOT%\SYSTEM32. The user (usually the anonymous login) must have execute permissions on cmd.exe

This is unlike most other programming languages. For example, in C the spawn and exec functions do not try to open a shell, they create the new process directly. PHP creates the new process via cmd.exe (or command.com) much like the C system() function. This is good for those of you who are trying to run batch files but this is very ineffecient for running other .exe files.

I feel uneasy about lifting permissions in my system32 directory but you can get around this by copying cmd.exe to your PHP directory. Windows will look there first and if it is not there it will check the path. Note: I mean the directory where php.exe is, not your script directory.

I have confirmed this by running filemon.exe while trying to execute a script, and you can see it trying to start the cmd.exe process.

__________________

This is not a problem in the PHP.
The problem is related to the execution permissions over the CMD to the
IUSR_machine and the ZIP exe file.

I do fork to GPG.exe in ISAPI/CGI modes. Using popen and proc_open.

According to the mode ISAPI/CGI the IWAM_/IUSR_ user must have read &
execute permissions over the CMD and the EXE file that you try to call.

This sentence put the needed permissions:

cacls cmd.exe /E /G MACHINE\IUSR_MACHINE:R

11-15-2004, 06:57 AM	#7
Charter Head Mole Join Date: May 2003 Posts: 2,539	http://fr.php.net/manual/fr/ref.exec.php http://bugs.php.net/bug.php?id=29001 Note on XP users: XP-Home edition does not allow to set rights directly on files and folders. You should use cacls command-line utility to do this. For example: cacls c:\windows\system32\cmd.exe /E /G IUSR_ADMIN2003:F gives IIS user full access to cmd.exe (potential security hole!), so PHP can fork and execute external programs. __________________ MORE ON THE UNABLE TO FORK MESSAGES IN WINDOWS: I would like to confirm that this issue relates to permissions on %SYSTEMROOT%\SYSTEM32. The user (usually the anonymous login) must have execute permissions on cmd.exe This is unlike most other programming languages. For example, in C the spawn and exec functions do not try to open a shell, they create the new process directly. PHP creates the new process via cmd.exe (or command.com) much like the C system() function. This is good for those of you who are trying to run batch files but this is very ineffecient for running other .exe files. I feel uneasy about lifting permissions in my system32 directory but you can get around this by copying cmd.exe to your PHP directory. Windows will look there first and if it is not there it will check the path. Note: I mean the directory where php.exe is, not your script directory. I have confirmed this by running filemon.exe while trying to execute a script, and you can see it trying to start the cmd.exe process. __________________ This is not a problem in the PHP. The problem is related to the execution permissions over the CMD to the IUSR_machine and the ZIP exe file. I do fork to GPG.exe in ISAPI/CGI modes. Using popen and proc_open. According to the mode ISAPI/CGI the IWAM_/IUSR_ user must have read & execute permissions over the CMD and the EXE file that you try to call. This sentence put the needed permissions: cacls cmd.exe /E /G MACHINE\IUSR_MACHINE:R __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.