Reputation: 266
PHP exec() command function for user other than PHP user
I apologize in advance as this is a very niche issue, but hopefully someone has some help for me.
TL;DR:
On IIS8, I have a command that I need to execute from the PHP exec() or system() functions that requires administrative permissions. I need a way to do one of the following:
- Run a command from
system()/exec()as an administrative user WITHOUT storing the computer admin password in the script - Allow one specific executable to run on my system without administrative privileges, WITHOUT modifying the executable.
Alright, now for the gory details.
Background:
I am writing a web app in PHP that allows users to track the development of graphics (icons) and reference existing graphics during the development process. It does this by combining metadata stored in a MySQL database and the actual file resources themselves, which are stored in a Team Foundation Server (TFS) collection on the corporate network.
When a user updates a file through the web application I am building, the following process needs to occur:
- The latest copy of the TFS collection is synced to the local server workspace
- The file to be edited is checked out of TFS
- The new file is moved into the TFS workspace, changing/overwriting the existing file as needed
- The edited file is checked into TFS
These, and other, TFS commands are accomplished by way of the TFS Command Line Utility, tf.exe. An example of the command to sync the latest files from the server is here:
tf.exe get /noprompt /login:"DOMAIN\username,password"
I have two user accounts to work with:
- A domain service account with administrative rights on the server, here I'll call it "DOMAIN\SVC"
- The built in server-local IIS account, "LOCAL\IUSR"
I cannot use the server admin account (don't have the password) or my personal user account as the password expires periodically and I don't want to have to update it in the script.
The Problem:
When I run tf.exe from the command line (not through the PHP script) as either of DOMAIN\SVC or LOCAL\IUSR (using the Windows command Runas) I am met with a lovely UAC challenge requesting admin permissions. If I allow it, it executes as I want with no problems. However, when I run the following PHP script, it prints array() 1, indicating failure:
<?php
$var = null;
$array = [];
// Note the double backslash in the /login flag to escape the PHP escape character
exec('cd "Path/to/TFS/workspace" && tf.exe get /noprompt /login:"DOMAIN\\SVC,password"', $array, $var);
print_r($array);
echo $var;
?>
I pulled the above command out and tested it manually from the command line and it worked fine, except for the UAC prompt.
I have changed the PHP application, which is managed by IIS, so it runs as the DOMAIN\SVC account, which does have admin rights on the server. However, despite it having the proper credentials, it still 'pops up' that UAC window and as a result fails; presumably due to a permission issue.
So, to recap, I need a way to either let tf.exe run without needing admin privileges, or a way to allow PHP to run automatically elevated commands.
Note: I cannot use Runas, because Runas does not allow for a password to be piped to it as input. This is by design and, as far as I know, cannot be overcome
This system is running on Windows Server 2012 R2, IIS 8.5, PHP 7.1.1 (x64)
Upvotes: 3
Views: 3749
Answers (1)
Reputation: 266
I figured it out. I'm sharing because this answer could be featured in the dictionary under "Non-Obvious Information"
Obviously the issue is that PHP (running under IIS) executes these commands as LOCAL\IUSR, which doesn't have admin permissions. I needed to reconfigure IIS so that it runs the site's application pool as my DOMAIN\SVC account, which has the proper permissions. However, this still didn't work.
I'm not exactly certain why, but the missing piece was an Application Pool setting called "Load User Profile", which needs to be set to true. After setting that it worked fine, though I couldn't find any documentation anywhere explaining why.
All steps to implement fix:
- In IIS Manager, select the server item "Application Pools", then right click on the pool used by your website, and select "Advanced Settings". In this list, change the following settings:
- Edit Identity, chose "Custom Account" and enter the
DOMAIN\SVCcredentials. This is documented here and here. - Set Load User Profile to
True.- Note: if you encounter a "keyset does not exist" error, see this MS support article
- Edit Identity, chose "Custom Account" and enter the
- In IIS Manager, open the Authentication feature of your website. Right-click "Anonymous Authentication" and choose "Edit", then set it to "Application Pool Identity".
- In Windows Explorer, navigate to
C:\Windowsand open the properties dialog for theTempsubdirectory. Under the Security tab, add R/W permissions for theDOMAIN\SVCaccount toC:\Windows\Temp- Note: this lets the service account access PHP temporary files
As a quick aside, the "Load User Profile" setting was only implemented in IIS 7.5+, so presumably this does not work for IIS 7.0 and older.
Upvotes: 3
Related Questions
- Running command-line application from PHP as specific user
- PHP exec on a Windows with IIS configuration
- PHP exec() command not working
- Getting access is denied for cmd command using php function
- How to run executable from PHP website as a specific Windows user?
- Possible permissions issue when using exec commands in PHP
- exec command and non-root user
- Using exec() in PHP as an specific system user
- Running exec as a different user
- Exec() in PHP on Windows without opening up cmd.exe Security weakness?