IIS 5 & IIS 6
PHP doesn't run shell_exec()
Last post May 21, 2008 10:31 AM by brashquido
Feb 07, 2008 06:31 PM|Gernot|LINK
I'm running PHP 5.2.5 on Windows 2003 32bit with IIS 6.0 FastCGI
Everything is working perfect except the shell_exec() command. It seems that PHP ignores the complete command line and junps into the next process step. No errors within the Event-Log and the PHP-Error-Log. I have tracked the process and the desired executable
file will not be executed.
When I reconfigure IIS running without FastCGI (CGI only with php-cgi.exe) shell_exec() works!
Any help is greatly apprecated!
Feb 11, 2008 08:14 AM|thomad|LINK
This is probably a security issue. Are you trying to execute cmd.exe or the like?
There are a couple of articles out there about this. Here is one of them:
Hope this helps.
P.S: FastCGI works because it is executing as the process identity (usually NetworkService) and not the authenticated user (IUSR_<machinename>).
Feb 12, 2008 01:46 PM|Gernot|LINK
Thank you very much for reply!
I know the security issue with cmd.exe and it works in standard CGI-Mode, but your information regarding the "process identity" let me hope to find the solution.
I will report my test result here.
Feb 14, 2008 09:31 AM|Gernot|LINK
I have tested again without success.
It doesn't seem to be a security issue. When I remove the access rights of
IUSR_<machinename> for cmd.exe, I receive an entry in the PHP error log which contains the message that PHP was "unable to execute". This is an understandable behavior. When I add the access right, shell_exec() will be executed by PHP without problems.
This is the behavior in standard cgi-mode with php-cgi.exe
When I configure IIS with the FastCGI-Handler, shell_exec() will be "jumped over". Nothing happens and no entry can be found within the error log of PHP. At last I gave "Everyone" the access right for cmd.exe - just for a test - but the behavior was the
PS: My PHP Application runs some small VB6-Applications for producing specific PDF files with Active Reports 2 (integration of existing modules from other Win32 Applications for cost effectiveness). With Apache 2, it is not neccessary to give cmd.exe access
rights for the apache user even though the apache user is extremely delimited regarding access rights (user is not part of a group, user has no right to sign in to Windows, user has only access to the application directory for reading an execution and to an
My next step is to set up another server with Windows 2003 to reproduce the effect.
Any ideas are welcome!
May 18, 2008 11:29 PM|Gernot|LINK
Problem is solved! I have added SERVICE with EXECUTE permissions to the directory where my executables resides (php-cgi.exe runs also under SERVICE).
May 19, 2008 07:42 PM|chriswolcott|LINK
Can you be more specific. What do you mean by SERVICE?
I am trying to execute gnuplot using mediaWiki. I can execute gnuplot via the dos command line on the server. I wrote a quick php script and can execute through it while on the server. But when I try to have it execute through the Web it seems to just
pass over it the shell_exec.
The cmd.exe has the correct permissions (READ & EXECUTE, READ) for IUSR_<machibe_name>.
The directory and subfolders/files have the correct persmissions for IUSR_<machibe_name>.
May 19, 2008 10:02 PM|Gernot|LINK
I returned to this problem few days ago and examined the processes within the Windows Task Manager. When php-cgi.exe was running, the User Name was always SERVICE within the processes window. Before this detection, I thought IUSR_<machine_name> is the related
user for php-cgi.exe as defined in IIS.
Therefore I added the user SERVICE with READ & EXECUTE, READ to the directories where the executables of my application resides. Since this alteration, the problem is gone. Nevertheless, it's also neccessary to grant the permissions READ & EXECUTE, READ
for IUSR_<machine_name> to cmd.exe.
I hope this is more clear! Sorry for my limited english. If it's not clear, I can provide a link with some screenshots.
May 21, 2008 10:15 AM|Gernot|LINK
well, it's strange. I swear that I have seen php-cgi.exe running with identity SERVICE !!
After a complete re-installation, php-cgi.exe runs with identity NETWORK SERVICE...
Anyway, I can add SERVICE or NETWORK SERVICE with READ & EXECUTE, READ to the executable folder and it works.
May 21, 2008 10:31 AM|brashquido|LINK
By default your IIS 6 application pool will run under the Network Service account. You can esculate this to use the Service or System accounts (or custom accounts), but isn't advised as they have elevated priviledges to your system over the Network Service
account (especially your System account). What you have done is correct. You should permission the Network Service account with the specific permissions you need rather than using an account with elevated rights to your entire system.