How to get shell_exec to run on IIS 6.0

Question

The Problem

I have a PHP script that uses shell_exec to run a pdf-to-text converter. To simplify the problem I've created a short script that uses shell_exec to just echo the output of the dir command.

<?php
$cmd = 'C:\\WINDOWS\\system32\\cmd.exe /c ';
echo shell_exec($cmd.' dir');
?>

When I run this on my Apache server, everything works as expected. When I switch to IIS, it's as though the line is skipped entirely: no errors, no output, no logs, no nothing.

Unfortunately, I need to use IIS because I'm going to authenticate my users against active directory.

---

Here's what I've tried so far:

• Issue the command through cmd.exe /c rather than issuing it directly
• Give Read & Execute permission to SERVICE on "C:\WINDOWS\system32\cmd.exe"
• Give Read & Execute permission to NETWORK SERVICE on "C:\WINDOWS\system32\cmd.exe"
• Give Read & Execute permission to IUSR_MACHINENAME on "C:\WINDOWS\system32\cmd.exe"
• Give Read & Execute permission to Everyone on "C:\WINDOWS\system32\cmd.exe" (don't worry, it didn't stay like that for long, haha)
• Run PHP as an ASAPI module
  • This is my standard configuration
• Run PHP as a CGI extention
  • This does not work, I get an error: CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers.
• In IIS Manager, set Execute Permissions to Scripts and Executables on your website
• Added html markup and other php functions to script to see if that gets processed; it does. It's as if the shell_exec bit just gets skipped.

---

Thank you so much for looking at this question, I am now pulling my hair out with the problem

Cheers, Iain

---

Update 1

I really didn't want to do this, but as a stop gap until I find a proper solution I'm running Apache on the web server (which runs shell_exec fine) and I call my apache script via cURL. It's ugly, but it works :).

---

Update 2

I'm beginning to think this isn't so much an issue with IIS or permissions as such, but perhaps a result of some policy we have on our network - although I can't imagine what. Any ideas from left of field?

Answer 1

Below is a more systematic way to determine which user needs to be granted permission

Confirm that you have the following executables in C:\WINDOWS\SYSTEM32 (or more generically %systemroot%\system32)

cmd.exe  
whoami.exe  

Check the current ACL for these executables

c:\windows\system32> cacls cmd.exe  
c:\windows\system32> cacls whoami.exe  

If the user "Everyone" is not granted Read (R) access, then TEMPORARILY grant as follows

c:\windows\system32> cacls cmd.exe /E /G everyone:R  
c:\windows\system32> cacls whoami.exe /E /G everyone:R  

Create whoami.php with the following content

<?php  
$output = shell_exec("whoami");  
echo "<pre>$output</pre>";  
?>  

Load whoami.php on a web browser and note the username displayed e.g. in my case it showed

ct29296\iusr_template

Revoke "Everyone's" permission if it had to be added in above steps

c:\windows\system32> cacls cmd.exe /E /R everyone  
c:\windows\system32> cacls whoami.exe /E /R everyone  

Grant only the username found in step 5 with the Read+Execute permission (R) to cmd.exe

c:\windows\system32> cacls cmd.exe /E /G ct29296\iusr_template:R  

Remember to use the correct username for your own system.

See: http://www.myfaqbase.com/index.php?q=php+shell_exec&ul=0&show=f

Answer 2

Here's a few points:

• Regarding PHP skipping the shell_exec function, make sure that PHP is not running in safe mode. From the PHP manual - on the shell_exe page:

Note: This function is disabled when PHP is running in safe mode.

It also appears that this is quite a known problem with executing shell commands from PHP in Windows. The consensus seems to be that the best way to get it to work is to have PHP running in FastCGI mode (I know you tried this already and said you couldn't get it to work - hence my second point). You may find this Microsoft IIS Forum thread helpful.

---

• Now, as far as having to run PHP on Windows in order to authenticate against Active Directory - you don't have to!

Apache provides LDAP authentication via the mod_auth_ldap. And PHP provides LDAP support through the following functions:

• ldap_connect
• ldap_bind
• ldap_search
• ldap_get_entries

Active Directory is an implementation of LDAP. So, you with any LDAP client you can perform authentication against Active Directory.

• An example of how to authenticate with Active Directory from PHP.

P.S. You can either use the Apache mod_auth_ldap, or the PHP LDAP functions - you don't need to use both at the same time to make this work. The Apache mod_auth_ldap works at the HTTP protocol level, whereas the PHP LDAP Functions give you more control over the authentication and authorization process.